CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-34215
https://notcve.org/view.php?id=CVE-2021-34215
20 Aug 2021 — Cross-site scripting in tcpipwan.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Service Name" field. Una vulnerabilidad de tipo Cross-site scripting en el archivo tcpipwan.htm en TOTOLINK A3002R versión V1.1.1-B20200824 (Actualización Importante, nueva Interfaz de Usuario) permite a atacantes ejecutar JavaScript arbitrario modificando el campo "Service Name". • https://github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-34207
https://notcve.org/view.php?id=CVE-2021-34207
20 Aug 2021 — Cross-site scripting in ddns.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Domain Name" field, "Server Address" field, "User Name/Email", or "Password/Key" field. Una vulnerabilidad de tipo Cross-site scripting en el archivo ddns.htm en TOTOLINK A3002R versión V1.1.1-B20200824 (Actualización Importante, nueva Interfaz de Usuario) permite a atacantes ejecutar JavaScript arbitrario modificando el campo "Domain Name... • https://github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-35325
https://notcve.org/view.php?id=CVE-2021-35325
05 Aug 2021 — A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS). Un desbordamiento de la pila en la función checkLoginUser del router TOTOLINK A720R con firmware versión v4.1.5cu.470_B20200911, permite a atacantes causar una denegación de servicio (DOS) • https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_cookie_overflow.md • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2021-35327
https://notcve.org/view.php?id=CVE-2021-35327
05 Aug 2021 — A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request. Una vulnerabilidad en TOTOLINK A720R A720R_Firmware versión v4.1.5cu.470_B20200911, permite a atacantes iniciar el servicio Telnet, y luego iniciar sesión con las credenciales predeterminadas por medio de una petición POST diseñada • https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_default_telnet_info.md • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-35326
https://notcve.org/view.php?id=CVE-2021-35326
05 Aug 2021 — A vulnerability in TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows attackers to download the configuration file via sending a crafted HTTP request. Una vulnerabilidad en el router TOTOLINK A720R con firmware versión v4.1.5cu.470_B20200911, permite a atacantes descargar el archivo de configuración por medio de una petición HTTP diseñada • https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_leak_config_file.md •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2021-35324
https://notcve.org/view.php?id=CVE-2021-35324
05 Aug 2021 — A vulnerability in the Form_Login function of TOTOLINK A720R A720R_Firmware V4.1.5cu.470_B20200911 allows attackers to bypass authentication. Una vulnerabilidad en la función Form_Login de TOTOLINK A720R A720R_Firmware versión V4.1.5cu.470_B20200911, permite a atacantes omitir la autenticación • https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_login_bypass.md •
CVSS: 10.0EPSS: 8%CPEs: 4EXPL: 2CVE-2021-27710
https://notcve.org/view.php?id=CVE-2021-27710
14 Apr 2021 — Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS. Una Inyección de Comandos en el enrutador TOTOLINK X5000R co... • https://hackmd.io/Hy3oVgtcQiuqAtv9FdylHw • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 8%CPEs: 4EXPL: 2CVE-2021-27708
https://notcve.org/view.php?id=CVE-2021-27708
14 Apr 2021 — Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS. Una inyección de comandos en el enrutador TOTOLINK... • https://hackmd.io/7FtB06f-SJ-SCfkMYcXYxA • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-27368
https://notcve.org/view.php?id=CVE-2020-27368
14 Jan 2021 — Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter. Una Indexación de Directorios en el Portal de Inicio de Sesión del Portal de Inicio de Sesión de TOTOLINK-A702R- versión V1.0.0-B20161227.1023, permite a un atacante acceder a directorios /icons/ por medio del parámetro GET • https://github.com/swzhouu/CVE-2020-27368 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.0EPSS: 0%CPEs: 26EXPL: 1CVE-2020-25499
https://notcve.org/view.php?id=CVE-2020-25499
09 Dec 2020 — TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router. TOTOLINK A3002RU-V2.0.0 versión B20190814.1034, permite a usuarios remotos autenticados modificar el "Run Command" del sistema. Un atacante puede usar esta funcionalidad para ejecutar comandos arbitrarios del sistema operativo en el enrutador • https://github.com/kdoos/Vulnerabilities/blob/main/RCE_TOTOLINK-A3002RU-V2 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-862: Missing Authorization •