Vulnerabilities > Totolink > A3002Ru Firmware

DATE CVE VULNERABILITY TITLE RISK
2018-11-27 CVE-2018-13306 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-26 CVE-2018-13317 Cross-site Scripting vulnerability in Totolink A3002Ru Firmware 1.0.8
Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm.
network
low complexity
totolink CWE-79
6.1
2018-11-26 CVE-2018-13315 Improper Input Validation vulnerability in Totolink A3002Ru Firmware 1.0.8
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.
network
low complexity
totolink CWE-20
critical
9.8
2018-11-26 CVE-2018-13312 Cross-site Scripting vulnerability in Totolink A3002Ru Firmware 1.0.8
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.
network
low complexity
totolink CWE-79
6.1
2018-11-26 CVE-2018-13311 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-26 CVE-2018-13310 Cross-site Scripting vulnerability in Totolink A3002Ru Firmware 1.0.8
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.
network
low complexity
totolink CWE-79
6.1
2018-11-26 CVE-2018-13309 Cross-site Scripting vulnerability in Totolink A3002Ru Firmware 1.0.8
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
network
low complexity
totolink CWE-79
6.1
2018-11-26 CVE-2018-13308 Cross-site Scripting vulnerability in Totolink A3002Ru Firmware 1.0.8
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.
network
low complexity
totolink CWE-79
6.1