Filtered by vendor Totolink
Subscribe
Total
514 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-45738 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile. This vulnerability allows attackers to execute arbitrary commands via the parameter FileName. | |||||
CVE-2021-34218 | 1 Totolink | 2 A3002r, A3002r Firmware | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /add/ , /img/, /js/, and /mobile directories via GET Parameter. | |||||
CVE-2021-35327 | 1 Totolink | 2 A720r, A720r Firmware | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request. | |||||
CVE-2021-27708 | 1 Totolink | 4 A720r, A720r Firmware, X5000r and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS. | |||||
CVE-2021-34228 | 1 Totolink | 2 A3002r, A3002r Firmware | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field. | |||||
CVE-2021-35324 | 1 Totolink | 2 A720r, A720r Firmware | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability in the Form_Login function of TOTOLINK A720R A720R_Firmware V4.1.5cu.470_B20200911 allows attackers to bypass authentication. | |||||
CVE-2021-27710 | 1 Totolink | 4 A720r, A720r Firmware, X5000r and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS. | |||||
CVE-2021-34223 | 1 Totolink | 2 A3002r, A3002r Firmware | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting in urlfilter.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "URL Address" field. | |||||
CVE-2021-35325 | 1 Totolink | 2 A720r, A720r Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS). | |||||
CVE-2021-34220 | 1 Totolink | 2 A3002r, A3002r Firmware | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting in tr069config.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "User Name" field or "Password" field. | |||||
CVE-2021-34215 | 1 Totolink | 2 A3002r, A3002r Firmware | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field. | |||||
CVE-2021-35326 | 1 Totolink | 2 A720r, A720r Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability in TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows attackers to download the configuration file via sending a crafted HTTP request. | |||||
CVE-2021-34207 | 1 Totolink | 2 A3002r, A3002r Firmware | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field. | |||||
CVE-2015-9550 | 1 Totolink | 16 A850r-v1, A850r-v1 Firmware, F1-v2 and 13 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface. | |||||
CVE-2020-27368 | 1 Totolink | 2 A702r, A702r Firmware | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter. | |||||
CVE-2015-9551 | 1 Totolink | 16 A850r-v1, A850r-v1 Firmware, F1-v2 and 13 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter. | |||||
CVE-2020-25499 | 1 Totolink | 26 A3002r, A3002r Firmware, A3002ru-v1 and 23 more | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router. | |||||
CVE-2019-19823 | 11 Ciktel, Coship, Fg-products and 8 more | 36 Mesh Router, Mesh Router Firmware, Emta Ap and 33 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. | |||||
CVE-2018-13313 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript contains the current user’s password in plaintext. | |||||
CVE-2019-19824 | 1 Totolink | 16 A3002ru, A3002ru Firmware, A702r and 13 more | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. |