Vulnerabilities > Totolink > A3002Ru Firmware > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-08-10 CVE-2022-35491 Use of Hard-coded Credentials vulnerability in Totolink A3002Ru Firmware 3.0.0B20220304.1804
TOTOLINK A3002RU V3.0.0-B20220304.1804 has a hardcoded password for root in /etc/shadow.sample.
network
low complexity
totolink CWE-798
critical
9.8
2020-01-27 CVE-2019-19825 Improper Authentication vulnerability in Totolink products
On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass.
network
low complexity
totolink CWE-287
critical
9.8
2018-11-27 CVE-2018-13306 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-27 CVE-2018-13307 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-27 CVE-2018-13314 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-27 CVE-2018-13316 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-26 CVE-2018-13311 OS Command Injection vulnerability in Totolink A3002Ru Firmware 1.0.8
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
network
low complexity
totolink CWE-78
critical
9.8
2018-11-26 CVE-2018-13315 Improper Input Validation vulnerability in Totolink A3002Ru Firmware 1.0.8
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.
network
low complexity
totolink CWE-20
critical
9.8