Cross-Site Scripting in TOTOLINK A3002R Router Products
CVE-2021-34207

6.1MEDIUM

Key Information:

Vendor: Totolink
Status: A3002r Firmware
Vendor: CVE Published:; 20 August 2021

Summary

The TOTOLINK A3002R router is vulnerable to a cross-site scripting (XSS) attack due to improper handling of user input in the ddns.htm component. Attackers can exploit this flaw by injecting malicious JavaScript code through several fields including 'Domain Name', 'Server Address', 'User Name/Email', or 'Password/Key'. If successfully executed, the injected script may compromise user data, hijack sessions, or redirect users to malicious sites. Users are advised to update their devices to the latest firmware to mitigate this risk.

References

https://github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 20, 2021
Vulnerability Reserved
Jun 7, 2021