Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-13313

In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript contains the current user’s password in plaintext.

Published

2020-02-24T19:15:11.933

Last Modified

2024-11-21T03:46:51.290

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-922

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	totolink	a3002ru_firmware	1.0.8	Yes
Hardware	totolink	a3002ru	-	No

References

https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154 Exploit, Third Party Advisory ([email protected])
https://www.ise.io/casestudies/sohopelessly-broken-2-0/ Third Party Advisory ([email protected])
https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.ise.io/casestudies/sohopelessly-broken-2-0/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)