Filtered by vendor Totolink Subscriptions
Total 643 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-13314 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.
CVE-2018-13313 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 6.5 Medium
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript contains the current user’s password in plaintext.
CVE-2018-13312 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.
CVE-2018-13311 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
CVE-2018-13310 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.
CVE-2018-13309 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
CVE-2018-13308 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.
CVE-2018-13307 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.
CVE-2018-13306 1 Totolink 2 A3002ru, A3002ru Firmware 2024-11-21 N/A
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.
CVE-2017-1000020 3 Ecos, Greatek, Totolink 3 Embedded Web Servers, Soho, Soho 2024-11-21 N/A
SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending SYN Flood or FIN Flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass. An attacker can take complete advantage of this bug and take over the device remotely or locally. The bug has been successfully tested and reproduced in some versions of SOHO Routers manufactured by TOTOLINK, GREATEK and others."
CVE-2015-9551 1 Totolink 16 A850r-v1, A850r-v1 Firmware, F1-v2 and 13 more 2024-11-21 9.8 Critical
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter.
CVE-2015-9550 1 Totolink 16 A850r-v1, A850r-v1 Firmware, F1-v2 and 13 more 2024-11-21 7.5 High
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface.
CVE-2023-51133 1 Totolink 2 X2000r, X2000r Firmware 2024-11-20 9.8 Critical
TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formRoute.
CVE-2024-31813 1 Totolink 1 Ex200 Firmware 2024-11-19 8.4 High
TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default.
CVE-2024-51141 1 Totolink 1 Wifi Usb Driver 2024-11-18 7.8 High
An issue in TOTOLINK Bluetooth Wireless Adapter A600UB allows a local attacker to execute arbitrary code via the WifiAutoInstallDriver.exe and MSASN1.dll components.
CVE-2023-7214 1 Totolink 2 N350rt, N350rt Firmware 2024-11-14 6.3 Medium
A vulnerability, which was classified as critical, has been found in Totolink N350RT 9.3.5u.6139_B20201216. Affected by this issue is the function main of the file /cgi-bin/cstecgi.cgi?action=login of the component HTTP POST Request Handler. The manipulation of the argument v8 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249770 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-7222 1 Totolink 2 X2000r, X2000r Firmware 2024-11-14 7.2 High
A vulnerability was found in Totolink X2000R 1.0.0-B20221212.1452. It has been declared as critical. This vulnerability affects the function formTmultiAP of the file /bin/boa of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249856. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-52027 1 Totolink 2 A3700r, A3700r Firmware 2024-11-14 9.8 Critical
TOTOlink A3700R v9.1.2u.5822_B20200513 was discovered to contain a remote command execution (RCE) vulnerability via the NTPSyncWithHost function.
CVE-2023-37148 1 Totolink 2 Lr350, Lr350 Firmware 2024-11-14 9.8 Critical
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the ussd parameter in the setUssd function.
CVE-2023-37149 1 Totolink 2 Lr350, Lr350 Firmware 2024-11-13 9.8 Critical
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function.