A3002RU
by Totolink
CVEs (91)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-34228 | Med | 0.42 | 6.1 | 0.29 | Aug 20, 2021 | Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field. | ||
| CVE-2018-13313 | Med | 0.42 | 6.5 | 0.01 | Feb 24, 2020 | In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password.… | ||
| CVE-2021-34223 | Med | 0.40 | 6.1 | 0.01 | Aug 20, 2021 | Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field. | ||
| CVE-2021-34220 | Med | 0.40 | 6.1 | 0.01 | Aug 20, 2021 | Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field. | ||
| CVE-2021-34215 | Med | 0.40 | 6.1 | 0.01 | Aug 20, 2021 | Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field. | ||
| CVE-2021-34207 | Med | 0.40 | 6.1 | 0.01 | Aug 20, 2021 | Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field. | ||
| CVE-2018-13317 | Med | 0.40 | 6.1 | 0.01 | Nov 26, 2018 | Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm. | ||
| CVE-2018-13312 | Med | 0.40 | 6.1 | 0.01 | Nov 26, 2018 | Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field. | ||
| CVE-2018-13310 | Med | 0.40 | 6.1 | 0.01 | Nov 26, 2018 | Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username. | ||
| CVE-2018-13309 | Med | 0.40 | 6.1 | 0.01 | Nov 26, 2018 | Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password. | ||
| CVE-2018-13308 | Med | 0.40 | 6.1 | 0.01 | Nov 26, 2018 | Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field. | ||
| CVE-2025-25579 | 0.03 | — | 0.10 | Mar 28, 2025 | TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr. | |||
| CVE-2025-55591 | 0.01 | — | 0.07 | Aug 18, 2025 | TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint. | |||
| CVE-2025-45858 | 0.01 | — | 0.09 | May 13, 2025 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function. | |||
| CVE-2026-26732 | 0.00 | — | 0.00 | Feb 17, 2026 | TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the vpnUser or vpnPassword` parameters in the formFilter function. | |||
| CVE-2026-26731 | 0.00 | — | 0.00 | Feb 17, 2026 | TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the routernamer`parameter in the formDnsv6 function. | |||
| CVE-2026-26736 | 0.00 | — | 0.00 | Feb 17, 2026 | TOTOLINK A3002RU_V3 V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the static_ipv6 parameter in the formIpv6Setup function. | |||
| CVE-2025-55590 | 0.00 | — | 0.01 | Aug 18, 2025 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an command injection vulnerability via the component bupload.html. | |||
| CVE-2025-55585 | 0.00 | — | 0.00 | Aug 18, 2025 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function. | |||
| CVE-2025-55588 | 0.00 | — | 0.00 | Aug 18, 2025 | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. |
- risk 0.42cvss 6.1epss 0.29
Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field.
- risk 0.42cvss 6.5epss 0.01
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password.…
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field.
- risk 0.40cvss 6.1epss 0.01
Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.
- CVE-2025-25579Mar 28, 2025risk 0.03cvss —epss 0.10
TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr.
- CVE-2025-55591Aug 18, 2025risk 0.01cvss —epss 0.07
TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint.
- CVE-2025-45858May 13, 2025risk 0.01cvss —epss 0.09
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function.
- CVE-2026-26732Feb 17, 2026risk 0.00cvss —epss 0.00
TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the vpnUser or vpnPassword` parameters in the formFilter function.
- CVE-2026-26731Feb 17, 2026risk 0.00cvss —epss 0.00
TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the routernamer`parameter in the formDnsv6 function.
- CVE-2026-26736Feb 17, 2026risk 0.00cvss —epss 0.00
TOTOLINK A3002RU_V3 V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the static_ipv6 parameter in the formIpv6Setup function.
- CVE-2025-55590Aug 18, 2025risk 0.00cvss —epss 0.01
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an command injection vulnerability via the component bupload.html.
- CVE-2025-55585Aug 18, 2025risk 0.00cvss —epss 0.00
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function.
- CVE-2025-55588Aug 18, 2025risk 0.00cvss —epss 0.00
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Page 2 of 5