CVE-2021-46006 — Missing Authentication for Critical Function in A3100r Firmware

CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 53.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Totolink A3100r Firmware

Timeline

PublishedMar 30

Latest updateApr 1

Description

In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDtotolink/a3100r_firmware5.9c.4577

🔴Vulnerability Details

GHSA

GHSA-34v3-w4c4-qr24: In Totolink A3100R V5↗2022-04-01

▶

CVEList

CVE-2021-46006: In Totolink A3100R V5↗2022-03-30

▶