PT-2018-11732 · Totolink · Totolink A3002Ru
Published
2018-11-26
·
Updated
2018-12-19
·
CVE-2018-13309
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
TOTOLINK A3002RU version 1.0.8
Description
The issue allows attackers to execute arbitrary JavaScript via the user's password, specifically through cross-site scripting in the password.htm file.
Recommendations
For TOTOLINK A3002RU version 1.0.8, consider updating to a newer version that addresses this issue, if available. As a temporary workaround, restrict access to the password.htm file to minimize the risk of exploitation. Avoid using the
password variable in the affected API endpoint until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Totolink A3002Ru