Totolink N300Rt Firmware vulnerabilities

11 known vulnerabilities affecting totolink/n300rt_firmware.

Total CVEs
11
CISA KEV
0
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL2HIGH4MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2024-32333MEDIUMCVSS 4.3v2.1.8-b20201030.15392024-04-18
CVE-2024-32333 [MEDIUM] CWE-79 CVE-2024-32333: TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in M TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page.
nvd
CVE-2024-32332MEDIUMCVSS 6.1v2.1.8-b20201030.15392024-04-18
CVE-2024-32332 [MEDIUM] CWE-79 CVE-2024-32332: TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in W TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in WDS Settings under the Wireless Page.
nvd
CVE-2024-32335MEDIUMCVSS 5.4v2.1.8-b20201030.15392024-04-18
CVE-2024-32335 [MEDIUM] CWE-79 CVE-2024-32335: TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in A TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in Access Control under the Wireless Page.
nvd
CVE-2024-32334MEDIUMCVSS 6.5v2.1.8-b20201030.15392024-04-18
CVE-2024-32334 [MEDIUM] CWE-79 CVE-2024-32334: TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in I TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in IP/Port Filtering under the Firewall Page.
nvd
CVE-2024-32327MEDIUMCVSS 5.5v2.1.8-b20201030.15392024-04-18
CVE-2024-32327 [MEDIUM] CWE-79 CVE-2024-32327: TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in P TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in Port Forwarding under the Firewall Page.
nvd
CVE-2023-48860CRITICALCVSS 9.8v3.2.4-b20180730.09062023-12-07
CVE-2023-48860 [CRITICAL] CVE-2023-48860: TOTOLINK N300RT version 3.2.4-B20180730.0906 has a post-authentication RCE due to incorrect access c TOTOLINK N300RT version 3.2.4-B20180730.0906 has a post-authentication RCE due to incorrect access control, allows attackers can bypass front-end security restrictions and execute arbitrary code.
nvd
CVE-2020-25499HIGHCVSS 8.8Exploitedfixed in 3.4.0-b20201026.20332020-12-09
CVE-2020-25499 [HIGH] CWE-78 CVE-2020-25499: TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router.
nvd
CVE-2019-19825CRITICALCVSS 9.8PoC≤ 3.4.02020-01-27
CVE-2019-19825 [CRITICAL] CWE-287 CVE-2019-19825: On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl": On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authen
nvd
CVE-2019-19823HIGHCVSS 7.5PoC≤ 3.4.02020-01-27
CVE-2019-19823 [HIGH] CWE-522 CVE-2019-19823: A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) st A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N10
nvd
CVE-2019-19824HIGHCVSS 8.8ExploitedPoC≤ 3.4.02020-01-27
CVE-2019-19824 [HIGH] CWE-78 CVE-2019-19824: On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS co On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R th
nvd
CVE-2019-19822HIGHCVSS 7.5PoC≤ 3.4.02020-01-27
CVE-2019-19822 [HIGH] CWE-306 CVE-2019-19822: A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) al A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.
nvd