Totolink A3100R Firmware vulnerabilities

47 known vulnerabilities affecting totolink/a3100r_firmware.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL24HIGH20MEDIUM3

Vulnerabilities

Page 2 of 3

CVE-2024-36650HIGHCVSS 7.5v4.1.2cu.5247_b202111292024-06-11

CVE-2024-36650 [HIGH] CWE-120 CVE-2024-36650: TOTOLINK AC1200 Wireless Dual Band Gigabit Router firmware A3100R V4.1.2cu.5247_B20211129, in the cg TOTOLINK AC1200 Wireless Dual Band Gigabit Router firmware A3100R V4.1.2cu.5247_B20211129, in the cgi function `setNoticeCfg` of the file `/lib/cste_modules/system.so`, the length of the user input string `NoticeUrl` is not checked. This can lead to a buffer overflow, allowing attackers to construct malicious HTTP or MQTT requests to cause a denial-of

nvd

CVE-2022-28935HIGHCVSS 7.2v4.1.2cu.5050_b202005042022-07-06

CVE-2022-28935 [HIGH] CWE-77 CVE-2022-28935: Totolink A830R V5.9c.4729_B20191112, Totolink A3100R V4.1.2cu.5050_B20200504, Totolink A950RG V4.1.2 Totolink A830R V5.9c.4729_B20191112, Totolink A3100R V4.1.2cu.5050_B20200504, Totolink A950RG V4.1.2cu.5161_B20200903, Totolink A800R V4.1.2cu.5137_B20200730, Totolink A3000RU V5.9c.5185_B20201128, Totolink A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability.

nvd

CVE-2022-29644CRITICALCVSS 9.8v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29644 [CRITICAL] CWE-798 CVE-2022-29644: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a har TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for the telnet service stored in the component /web_cste/cgi-bin/product.ini.

nvd

CVE-2022-29645CRITICALCVSS 9.8v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29645 [CRITICAL] CWE-798 CVE-2022-29645: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a har TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for root stored in the component /etc/shadow.sample.

nvd

CVE-2022-29640HIGHCVSS 7.5v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29640 [HIGH] CWE-787 CVE-2022-29640: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a sta TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the comment parameter in the function setPortForwardRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

nvd

CVE-2022-29639HIGHCVSS 8.1v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29639 [HIGH] CVE-2022-29639: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a com TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a command injection vulnerability via the magicid parameter in the function uci_cloudupdate_config.

nvd

CVE-2022-29643HIGHCVSS 7.5v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29643 [HIGH] CWE-787 CVE-2022-29643: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a sta TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the macAddress parameter in the function setMacQos. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

nvd

CVE-2022-29638HIGHCVSS 7.5v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29638 [HIGH] CWE-787 CVE-2022-29638: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a sta TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the comment parameter in the function setIpQosRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

nvd

CVE-2022-29641HIGHCVSS 7.5v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29641 [HIGH] CWE-787 CVE-2022-29641: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a sta TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the startTime and endTime parameters in the function setParentalRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

nvd

CVE-2022-29642HIGHCVSS 7.5v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29642 [HIGH] CWE-787 CVE-2022-29642: TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a sta TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the url parameter in the function setUrlFilterRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

nvd

CVE-2022-29646MEDIUMCVSS 5.3v4.1.2cu.5050_b20200504v4.1.2cu.5247_b202111292022-05-18

CVE-2022-29646 [MEDIUM] CWE-668 CVE-2022-29646: An access control issue in TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 allow An access control issue in TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 allows attackers to obtain sensitive information via a crafted web request.

nvd

CVE-2021-46009CRITICALCVSS 9.8v5.9c.45772022-03-30

CVE-2021-46009 [CRITICAL] CWE-306 CVE-2021-46009: In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authenticati In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.

nvd

CVE-2021-46008HIGHCVSS 8.8v5.9c.45772022-03-30

CVE-2021-46008 [HIGH] CWE-798 CVE-2021-46008: In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official releas In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on.

nvd

CVE-2021-46010HIGHCVSS 8.8v5.9c.45772022-03-30

CVE-2021-46010 [HIGH] CWE-330 CVE-2021-46010: Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuratio Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.

nvd

CVE-2021-46006MEDIUMCVSS 6.5v5.9c.45772022-03-30

CVE-2021-46006 [MEDIUM] CWE-306 CVE-2021-46006: In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.

nvd

CVE-2022-26208CRITICALCVSS 9.8v4.1.2cu.5050_b202005042022-03-15

CVE-2022-26208 [CRITICAL] CWE-78 CVE-2022-26208: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setWebWlanIdx, via the webWlanIdx parameter. This vulnerability allows attack

nvd

CVE-2022-26212CRITICALCVSS 9.8v4.1.2cu.5050_b202005042022-03-15

CVE-2022-26212 [CRITICAL] CWE-78 CVE-2022-26212: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDeviceName, via the deviceMac and deviceName parameters. This vulnerabilit

nvd

CVE-2022-26210CRITICALCVSS 9.8Exploitedv4.1.2cu.5050_b202005042022-03-15

CVE-2022-26210 [CRITICAL] CWE-78 CVE-2022-26210: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter. This vulnerability allows attackers

nvd

CVE-2022-26207CRITICALCVSS 9.8v4.1.2cu.5050_b202005042022-03-15

CVE-2022-26207 [CRITICAL] CWE-78 CVE-2022-26207: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter. This vulnerability allows attack

nvd

CVE-2022-26211CRITICALCVSS 9.8v4.1.2cu.5050_b202005042022-03-15

CVE-2022-26211 [CRITICAL] CWE-78 CVE-2022-26211: Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and deviceName parameters. This vulner

nvd

← Previous2 / 3Next →