CPE matches: cpe:2.3:o:totolink:n300rh-v3_firmware:*:*:*:*:*:*:*:* && versionEndExcluding=3.2.4-b20201029.1838
TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router.
- Complete loss of protection.
- Access to all information.
- Full Denial Of Service (DoS).
- Remote attacking is possible through the network but requires the attacker to have regular user privileges.
- No user interaction is required.
- The attack is estimated to have a high success rate, once attempted.
Damage and attack conditions obtained from CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (CVSSv3)
Type of bug(s)
- CWE-78, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'):
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- CWE-862, Missing Authorization:
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.