Vulnerabilities > Totolink > A3002Ru Firmware

DATE CVE VULNERABILITY TITLE RISK
2023-12-06 CVE-2023-48859 Incorrect Authorization vulnerability in Totolink A3002Ru Firmware 2.0.0B20190902.1958
TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code.
network
low complexity
totolink CWE-863
8.8
2022-08-10 CVE-2022-35491 Use of Hard-coded Credentials vulnerability in Totolink A3002Ru Firmware 3.0.0B20220304.1804
TOTOLINK A3002RU V3.0.0-B20220304.1804 has a hardcoded password for root in /etc/shadow.sample.
network
low complexity
totolink CWE-798
critical
9.8
2020-02-24 CVE-2018-13313 Insecure Storage of Sensitive Information vulnerability in Totolink A3002Ru Firmware 1.0.8
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password.
network
low complexity
totolink CWE-922
6.5
2020-01-27 CVE-2019-19824 OS Command Injection vulnerability in Totolink products
On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available.
network
low complexity
totolink CWE-78
8.8
2020-01-27 CVE-2019-19823 Insufficiently Protected Credentials vulnerability in multiple products
A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file.
7.5
2020-01-27 CVE-2019-19822 Missing Authentication for Critical Function vulnerability in multiple products
A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords).
7.5
2020-01-27 CVE-2019-19825 Improper Authentication vulnerability in Totolink products
On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass.
network
low complexity
totolink CWE-287
critical
9.8
2018-11-27 CVE-2018-13316 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-27 CVE-2018-13314 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-27 CVE-2018-13307 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8