Vulnerabilities > Totolink > A3002Ru Firmware > 1.0.8
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-24 | CVE-2018-13313 | Insecure Storage of Sensitive Information vulnerability in Totolink A3002Ru Firmware 1.0.8 In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. | 6.5 |
| 2020-01-27 | CVE-2019-19824 | OS Command Injection vulnerability in Totolink products On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. | 8.8 |
| 2020-01-27 | CVE-2019-19823 | Insufficiently Protected Credentials vulnerability in multiple products A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. | 7.5 |
| 2020-01-27 | CVE-2019-19822 | Missing Authentication for Critical Function vulnerability in multiple products A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). | 7.5 |
| 2020-01-27 | CVE-2019-19825 | Improper Authentication vulnerability in Totolink products On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. | 9.8 |
| 2018-11-27 | CVE-2018-13316 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter. | 9.8 |
| 2018-11-27 | CVE-2018-13314 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter. | 9.8 |
| 2018-11-27 | CVE-2018-13307 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. | 9.8 |
| 2018-11-27 | CVE-2018-13306 | OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8 System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter. | 9.8 |
| 2018-11-26 | CVE-2018-13317 | Cross-site Scripting vulnerability in Totolink A3002Ru Firmware 1.0.8 Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm. | 6.1 |