CVEs (49)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
1Totolink 1A3002ru Firmware Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable. |
1Totolink 1A3002ru Firmware Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter. |
Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm. |
1Totolink 1A3002ru Firmware Nov 21, 2024 Nov 26, 2018 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request. |
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field. |
1Totolink 1A3002ru Firmware Nov 21, 2024 Nov 26, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter. |
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username. |
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password. |
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field. |