Vendor CVEs
Totolink
All CVEs
1,201 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-27411 | 0.00 | — | 0.02 | May 5, 2022 | TOTOLINK N600R v5.3c.5507_B20171031 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter in the "Main" function. | |||
| CVE-2020-23617 | 0.00 | — | 0.01 | May 2, 2022 | A cross site scripting (XSS) vulnerability in the error page of Totolink N200RE and N100RE Routers 2.0 allows attackers to execute arbitrary web scripts or HTML via SCRIPT element. | |||
| CVE-2021-43663 | 0.00 | — | 0.01 | Mar 30, 2022 | totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check. | |||
| CVE-2021-43662 | 0.00 | — | 0.01 | Mar 30, 2022 | totolink EX300_v2, ver V4.0.3c.140_B20210429 and A720R ,ver V4.1.5cu.470_B20200911 have an issue which causes uncontrolled resource consumption. | |||
| CVE-2021-43661 | 0.00 | — | 0.01 | Mar 30, 2022 | totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp. | |||
| CVE-2021-43664 | 0.00 | — | 0.02 | Mar 30, 2022 | totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo. | |||
| CVE-2021-46006 | 0.00 | — | 0.07 | Mar 30, 2022 | In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication. | |||
| CVE-2022-25008 | 0.00 | — | 0.04 | Mar 30, 2022 | totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism. | |||
| CVE-2021-46008 | 0.00 | — | 0.01 | Mar 30, 2022 | In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on. | |||
| CVE-2021-46009 | 0.00 | — | 0.15 | Mar 30, 2022 | In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. | |||
| CVE-2021-46010 | 0.00 | — | 0.02 | Mar 30, 2022 | Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations. | |||
| CVE-2022-26189 | 0.00 | — | 0.03 | Mar 22, 2022 | TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface. | |||
| CVE-2022-26188 | 0.00 | — | 0.03 | Mar 22, 2022 | TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost. | |||
| CVE-2021-44620 | 0.00 | — | 0.02 | Mar 11, 2022 | A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters. | |||
| CVE-2022-25083 | 0.00 | — | 0.03 | Feb 22, 2022 | TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||
| CVE-2022-25080 | 0.00 | — | 0.03 | Feb 22, 2022 | TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||
| CVE-2022-25081 | 0.00 | — | 0.03 | Feb 22, 2022 | TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||
| CVE-2022-25079 | 0.00 | — | 0.03 | Feb 22, 2022 | TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||
| CVE-2022-25078 | 0.00 | — | 0.03 | Feb 22, 2022 | TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||
| CVE-2022-25076 | 0.00 | — | 0.03 | Feb 22, 2022 | TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||
| CVE-2022-25137 | 0.00 | — | 0.02 | Feb 18, 2022 | A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||
| CVE-2022-25136 | 0.00 | — | 0.02 | Feb 18, 2022 | A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||
| CVE-2022-25131 | 0.00 | — | 0.02 | Feb 18, 2022 | A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||
| CVE-2022-25130 | 0.00 | — | 0.02 | Feb 18, 2022 | A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||
| CVE-2021-44246 | 0.00 | — | 0.01 | Feb 4, 2022 | Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IpTo parameter. | |||
| CVE-2021-45734 | 0.00 | — | 0.01 | Feb 4, 2022 | TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via the url parameter. | |||
| CVE-2021-45735 | 0.00 | — | 0.04 | Feb 4, 2022 | TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing attackers to intercept user credentials via packet capture software. | |||
| CVE-2021-45736 | 0.00 | — | 0.01 | Feb 4, 2022 | TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the eip, sip, server parameters. | |||
| CVE-2021-45737 | 0.00 | — | 0.01 | Feb 4, 2022 | TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter. | |||
| CVE-2021-45739 | 0.00 | — | 0.01 | Feb 4, 2022 | TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the flag parameter. | |||
| CVE-2021-45740 | 0.00 | — | 0.01 | Feb 4, 2022 | TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the pin parameter. | |||
| CVE-2021-45741 | 0.00 | — | 0.01 | Feb 4, 2022 | TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the relay6to4 parameters. | |||
| CVE-2021-34228 | 0.00 | — | 0.29 | Aug 20, 2021 | Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field. | |||
| CVE-2021-34223 | 0.00 | — | 0.01 | Aug 20, 2021 | Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field. | |||
| CVE-2021-34220 | 0.00 | — | 0.01 | Aug 20, 2021 | Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field. | |||
| CVE-2021-34218 | 0.00 | — | 0.01 | Aug 20, 2021 | Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /add/ , /img/, /js/, and /mobile directories via GET Parameter. | |||
| CVE-2021-34215 | 0.00 | — | 0.01 | Aug 20, 2021 | Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field. | |||
| CVE-2021-34207 | 0.00 | — | 0.01 | Aug 20, 2021 | Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field. | |||
| CVE-2021-35325 | 0.00 | — | 0.13 | Aug 5, 2021 | A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS). | |||
| CVE-2021-35327 | 0.00 | — | 0.01 | Aug 5, 2021 | A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request. | |||
| CVE-2021-35326 | 0.00 | — | 0.03 | Aug 5, 2021 | A vulnerability in TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows attackers to download the configuration file via sending a crafted HTTP request. | |||
| CVE-2021-35324 | 0.00 | — | 0.10 | Aug 5, 2021 | A vulnerability in the Form_Login function of TOTOLINK A720R A720R_Firmware V4.1.5cu.470_B20200911 allows attackers to bypass authentication. | |||
| CVE-2020-27368 | 0.00 | — | 0.00 | Jan 14, 2021 | Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter. | |||
| CVE-2015-9550 | 0.00 | — | 0.02 | Nov 24, 2020 | An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface. | |||
| CVE-2018-13313 | 0.00 | — | 0.01 | Feb 24, 2020 | In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password.… | |||
| CVE-2018-13310 | 0.00 | — | 0.01 | Nov 26, 2018 | Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username. | |||
| CVE-2018-13309 | 0.00 | — | 0.01 | Nov 26, 2018 | Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password. | |||
| CVE-2018-13312 | 0.00 | — | 0.01 | Nov 26, 2018 | Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field. | |||
| CVE-2018-13308 | 0.00 | — | 0.01 | Nov 26, 2018 | Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field. | |||
| CVE-2018-13315 | 0.00 | — | 0.02 | Nov 26, 2018 | Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request. |
- CVE-2022-27411May 5, 2022risk 0.00cvss —epss 0.02
TOTOLINK N600R v5.3c.5507_B20171031 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter in the "Main" function.
- CVE-2020-23617May 2, 2022risk 0.00cvss —epss 0.01
A cross site scripting (XSS) vulnerability in the error page of Totolink N200RE and N100RE Routers 2.0 allows attackers to execute arbitrary web scripts or HTML via SCRIPT element.
- CVE-2021-43663Mar 30, 2022risk 0.00cvss —epss 0.01
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check.
- CVE-2021-43662Mar 30, 2022risk 0.00cvss —epss 0.01
totolink EX300_v2, ver V4.0.3c.140_B20210429 and A720R ,ver V4.1.5cu.470_B20200911 have an issue which causes uncontrolled resource consumption.
- CVE-2021-43661Mar 30, 2022risk 0.00cvss —epss 0.01
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp.
- CVE-2021-43664Mar 30, 2022risk 0.00cvss —epss 0.02
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo.
- CVE-2021-46006Mar 30, 2022risk 0.00cvss —epss 0.07
In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.
- CVE-2022-25008Mar 30, 2022risk 0.00cvss —epss 0.04
totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.
- CVE-2021-46008Mar 30, 2022risk 0.00cvss —epss 0.01
In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on.
- CVE-2021-46009Mar 30, 2022risk 0.00cvss —epss 0.15
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.
- CVE-2021-46010Mar 30, 2022risk 0.00cvss —epss 0.02
Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.
- CVE-2022-26189Mar 22, 2022risk 0.00cvss —epss 0.03
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface.
- CVE-2022-26188Mar 22, 2022risk 0.00cvss —epss 0.03
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost.
- CVE-2021-44620Mar 11, 2022risk 0.00cvss —epss 0.02
A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters.
- CVE-2022-25083Feb 22, 2022risk 0.00cvss —epss 0.03
TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25080Feb 22, 2022risk 0.00cvss —epss 0.03
TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25081Feb 22, 2022risk 0.00cvss —epss 0.03
TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25079Feb 22, 2022risk 0.00cvss —epss 0.03
TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25078Feb 22, 2022risk 0.00cvss —epss 0.03
TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25076Feb 22, 2022risk 0.00cvss —epss 0.03
TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25137Feb 18, 2022risk 0.00cvss —epss 0.02
A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2022-25136Feb 18, 2022risk 0.00cvss —epss 0.02
A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2022-25131Feb 18, 2022risk 0.00cvss —epss 0.02
A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2022-25130Feb 18, 2022risk 0.00cvss —epss 0.02
A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2021-44246Feb 4, 2022risk 0.00cvss —epss 0.01
Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IpTo parameter.
- CVE-2021-45734Feb 4, 2022risk 0.00cvss —epss 0.01
TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via the url parameter.
- CVE-2021-45735Feb 4, 2022risk 0.00cvss —epss 0.04
TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing attackers to intercept user credentials via packet capture software.
- CVE-2021-45736Feb 4, 2022risk 0.00cvss —epss 0.01
TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the eip, sip, server parameters.
- CVE-2021-45737Feb 4, 2022risk 0.00cvss —epss 0.01
TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter.
- CVE-2021-45739Feb 4, 2022risk 0.00cvss —epss 0.01
TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the flag parameter.
- CVE-2021-45740Feb 4, 2022risk 0.00cvss —epss 0.01
TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the pin parameter.
- CVE-2021-45741Feb 4, 2022risk 0.00cvss —epss 0.01
TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the relay6to4 parameters.
- CVE-2021-34228Aug 20, 2021risk 0.00cvss —epss 0.29
Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field.
- CVE-2021-34223Aug 20, 2021risk 0.00cvss —epss 0.01
Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field.
- CVE-2021-34220Aug 20, 2021risk 0.00cvss —epss 0.01
Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field.
- CVE-2021-34218Aug 20, 2021risk 0.00cvss —epss 0.01
Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /add/ , /img/, /js/, and /mobile directories via GET Parameter.
- CVE-2021-34215Aug 20, 2021risk 0.00cvss —epss 0.01
Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field.
- CVE-2021-34207Aug 20, 2021risk 0.00cvss —epss 0.01
Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field.
- CVE-2021-35325Aug 5, 2021risk 0.00cvss —epss 0.13
A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS).
- CVE-2021-35327Aug 5, 2021risk 0.00cvss —epss 0.01
A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request.
- CVE-2021-35326Aug 5, 2021risk 0.00cvss —epss 0.03
A vulnerability in TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows attackers to download the configuration file via sending a crafted HTTP request.
- CVE-2021-35324Aug 5, 2021risk 0.00cvss —epss 0.10
A vulnerability in the Form_Login function of TOTOLINK A720R A720R_Firmware V4.1.5cu.470_B20200911 allows attackers to bypass authentication.
- CVE-2020-27368Jan 14, 2021risk 0.00cvss —epss 0.00
Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.
- CVE-2015-9550Nov 24, 2020risk 0.00cvss —epss 0.02
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface.
- CVE-2018-13313Feb 24, 2020risk 0.00cvss —epss 0.01
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password.…
- CVE-2018-13310Nov 26, 2018risk 0.00cvss —epss 0.01
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.
- CVE-2018-13309Nov 26, 2018risk 0.00cvss —epss 0.01
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
- CVE-2018-13312Nov 26, 2018risk 0.00cvss —epss 0.01
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.
- CVE-2018-13308Nov 26, 2018risk 0.00cvss —epss 0.01
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.
- CVE-2018-13315Nov 26, 2018risk 0.00cvss —epss 0.02
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.
Page 24 of 25