Kv

**Name of the Vulnerable Software and Affected Versions** Totolink A3100R version 5.9c.4577 **Description** The issue concerns an unauthenticated API-like function in the "test.asp" file. This function allows an attacker to configure multiple settings without proper authentication. **Recommendations** For Totolink A3100R version 5.9c.4577, consider restricting access to the "test.asp" file until a patch is available. As a temporary workaround, disabling the unauthenticated API-like function in "test.asp" can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** totolink a3100r version V5.9c.4577 **Description** The issue concerns an os command injection vulnerability. It occurs because the backend of a page executes the `ping` command, and the input field does not properly filter special symbols, leading to potential command injection attacks. **Recommendations** For totolink a3100r version V5.9c.4577, consider restricting access to the vulnerable page or input field until a proper fix is available. As a temporary workaround, avoid using special symbols in the input field to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** totolink a3100r version V5.9c.4577 **Description** The issue concerns a hard-coded telnet password in the official released firmware, which can be easily discovered. An attacker connected to the Wi-Fi can exploit this by telnetting into the target with root shell if the telnet function is turned on. **Recommendations** For totolink a3100r version V5.9c.4577, consider disabling the telnet function as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink A3100R version 5.9c.4577 **Description** The issue allows multiple pages to be read without authentication using tools like curl or Burp Suite. Furthermore, admin configurations can be set without the need for cookies. **Recommendations** For Totolink A3100R version 5.9c.4577, consider restricting access to sensitive pages and configurations to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the device for sensitive operations that require authentication. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink A3100R version 5.9c.4577 **Description** The issue concerns the use of insufficiently random values via the web configuration, making the `SESSION ID` predictable. This predictability allows an attacker to hijack a valid session and conduct further malicious operations. **Recommendations** For Totolink A3100R version 5.9c.4577, consider restricting access to the web configuration until a patch is available to minimize the risk of session hijacking. As a temporary workaround, avoid using the predictable `SESSION ID` in the affected web configuration endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.