Vulnerabilities > Totolink > A3002Ru Firmware
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-06 | CVE-2023-48859 | Incorrect Authorization vulnerability in Totolink A3002Ru Firmware 2.0.0B20190902.1958 TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code. | 8.8 |
| 2020-02-24 | CVE-2018-13313 | Insecure Storage of Sensitive Information vulnerability in Totolink A3002Ru Firmware 1.0.8 In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. | 4.0 |
| 2020-01-27 | CVE-2019-19824 | OS Command Injection vulnerability in Totolink products On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. | 9.0 |
| 2020-01-27 | CVE-2019-19823 | Insufficiently Protected Credentials vulnerability in multiple products A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. | 5.0 |
| 2020-01-27 | CVE-2019-19822 | Missing Authentication for Critical Function vulnerability in multiple products A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). | 5.0 |
| 2020-01-27 | CVE-2019-19825 | Improper Authentication vulnerability in Totolink products On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. | 7.5 |
| 2018-11-27 | CVE-2018-13316 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter. | 10.0 |
| 2018-11-27 | CVE-2018-13314 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter. | 10.0 |
| 2018-11-27 | CVE-2018-13307 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. | 10.0 |
| 2018-11-27 | CVE-2018-13306 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter. | 10.0 |