CVE-2018-13313
Admin Password returned in password.htm
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript contains the current user’s password in plaintext.
En TOTOLINK A3002RU versión 1.0.8, el enrutador proporciona una página que permite al usuario cambiar su nombre de cuenta y contraseña. Esta página, password.htm, contiene JavaScript que es utilizado para confirmar que el usuario conozca su contraseña actual antes de permitirle cambiar su contraseña. Sin embargo, este JavaScript contiene la contraseña del usuario actual en texto plano.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-07-05 CVE Reserved
- 2020-02-24 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-922: Insecure Storage of Sensitive Information
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.ise.io/casestudies/sohopelessly-broken-2-0 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Totolink Search vendor "Totolink" | A3002ru Firmware Search vendor "Totolink" for product "A3002ru Firmware" | 1.0.8 Search vendor "Totolink" for product "A3002ru Firmware" and version "1.0.8" | - |
Affected
| in | Totolink Search vendor "Totolink" | A3002ru Search vendor "Totolink" for product "A3002ru" | - | - |
Safe
|