Command Injection Vulnerability in TOTOLINK A3002RU Router
CVE-2018-13311

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: A3002ru Firmware
Vendor: CVE Published:; 26 November 2018

What is CVE-2018-13311?

A command injection vulnerability exists in the formDlna functionality of the TOTOLINK A3002RU router, specifically in version 1.0.8. This vulnerability allows attackers to execute arbitrary system commands remotely by manipulating the 'sambaUser' parameter within a POST request. Exploiting this flaw can lead to unauthorized access and control over the affected device, potentially compromising the integrity of the network.

References

https://blog.securityevaluators.com/new-vulnerabilities-i...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2018
Vulnerability Reserved
Jul 5, 2018

Totolink

What is CVE-2018-13311?

References

CVSS V3.1

Timeline