VYPR

Vendor CVEs

Totolink

All CVEs

1,201 total · sorted by risk
  • CVE-2022-27411May 5, 2022
    risk 0.00cvss epss 0.02

    TOTOLINK N600R v5.3c.5507_B20171031 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter in the "Main" function.

  • CVE-2020-23617May 2, 2022
    risk 0.00cvss epss 0.01

    A cross site scripting (XSS) vulnerability in the error page of Totolink N200RE and N100RE Routers 2.0 allows attackers to execute arbitrary web scripts or HTML via SCRIPT element.

  • CVE-2021-43663Mar 30, 2022
    risk 0.00cvss epss 0.01

    totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check.

  • CVE-2021-43662Mar 30, 2022
    risk 0.00cvss epss 0.01

    totolink EX300_v2, ver V4.0.3c.140_B20210429 and A720R ,ver V4.1.5cu.470_B20200911 have an issue which causes uncontrolled resource consumption.

  • CVE-2021-43661Mar 30, 2022
    risk 0.00cvss epss 0.01

    totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp.

  • CVE-2021-43664Mar 30, 2022
    risk 0.00cvss epss 0.02

    totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo.

  • CVE-2021-46006Mar 30, 2022
    risk 0.00cvss epss 0.07

    In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.

  • CVE-2022-25008Mar 30, 2022
    risk 0.00cvss epss 0.04

    totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.

  • CVE-2021-46008Mar 30, 2022
    risk 0.00cvss epss 0.01

    In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on.

  • CVE-2021-46009Mar 30, 2022
    risk 0.00cvss epss 0.15

    In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.

  • CVE-2021-46010Mar 30, 2022
    risk 0.00cvss epss 0.02

    Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.

  • CVE-2022-26189Mar 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface.

  • CVE-2022-26188Mar 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost.

  • CVE-2021-44620Mar 11, 2022
    risk 0.00cvss epss 0.02

    A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters.

  • CVE-2022-25083Feb 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

  • CVE-2022-25080Feb 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

  • CVE-2022-25081Feb 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

  • CVE-2022-25079Feb 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

  • CVE-2022-25078Feb 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

  • CVE-2022-25076Feb 22, 2022
    risk 0.00cvss epss 0.03

    TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

  • CVE-2022-25137Feb 18, 2022
    risk 0.00cvss epss 0.02

    A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

  • CVE-2022-25136Feb 18, 2022
    risk 0.00cvss epss 0.02

    A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

  • CVE-2022-25131Feb 18, 2022
    risk 0.00cvss epss 0.02

    A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

  • CVE-2022-25130Feb 18, 2022
    risk 0.00cvss epss 0.02

    A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

  • CVE-2021-44246Feb 4, 2022
    risk 0.00cvss epss 0.01

    Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IpTo parameter.

  • CVE-2021-45734Feb 4, 2022
    risk 0.00cvss epss 0.01

    TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via the url parameter.

  • CVE-2021-45735Feb 4, 2022
    risk 0.00cvss epss 0.04

    TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing attackers to intercept user credentials via packet capture software.

  • CVE-2021-45736Feb 4, 2022
    risk 0.00cvss epss 0.01

    TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the eip, sip, server parameters.

  • CVE-2021-45737Feb 4, 2022
    risk 0.00cvss epss 0.01

    TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter.

  • CVE-2021-45739Feb 4, 2022
    risk 0.00cvss epss 0.01

    TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the flag parameter.

  • CVE-2021-45740Feb 4, 2022
    risk 0.00cvss epss 0.01

    TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the pin parameter.

  • CVE-2021-45741Feb 4, 2022
    risk 0.00cvss epss 0.01

    TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the relay6to4 parameters.

  • CVE-2021-34228Aug 20, 2021
    risk 0.00cvss epss 0.29

    Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field.

  • CVE-2021-34223Aug 20, 2021
    risk 0.00cvss epss 0.01

    Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field.

  • CVE-2021-34220Aug 20, 2021
    risk 0.00cvss epss 0.01

    Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field.

  • CVE-2021-34218Aug 20, 2021
    risk 0.00cvss epss 0.01

    Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /add/ , /img/, /js/, and /mobile directories via GET Parameter.

  • CVE-2021-34215Aug 20, 2021
    risk 0.00cvss epss 0.01

    Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field.

  • CVE-2021-34207Aug 20, 2021
    risk 0.00cvss epss 0.01

    Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field.

  • CVE-2021-35325Aug 5, 2021
    risk 0.00cvss epss 0.13

    A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS).

  • CVE-2021-35327Aug 5, 2021
    risk 0.00cvss epss 0.01

    A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request.

  • CVE-2021-35326Aug 5, 2021
    risk 0.00cvss epss 0.03

    A vulnerability in TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows attackers to download the configuration file via sending a crafted HTTP request.

  • CVE-2021-35324Aug 5, 2021
    risk 0.00cvss epss 0.10

    A vulnerability in the Form_Login function of TOTOLINK A720R A720R_Firmware V4.1.5cu.470_B20200911 allows attackers to bypass authentication.

  • CVE-2020-27368Jan 14, 2021
    risk 0.00cvss epss 0.00

    Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.

  • CVE-2015-9550Nov 24, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface.

  • CVE-2018-13313Feb 24, 2020
    risk 0.00cvss epss 0.01

    In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password.…

  • CVE-2018-13310Nov 26, 2018
    risk 0.00cvss epss 0.01

    Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.

  • CVE-2018-13309Nov 26, 2018
    risk 0.00cvss epss 0.01

    Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.

  • CVE-2018-13312Nov 26, 2018
    risk 0.00cvss epss 0.01

    Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.

  • CVE-2018-13308Nov 26, 2018
    risk 0.00cvss epss 0.01

    Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.

  • CVE-2018-13315Nov 26, 2018
    risk 0.00cvss epss 0.02

    Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.

Page 24 of 25