CVE-2018-13315

Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.

CVSS v3 9.8 CRITICAL
CVSS v2.0 5.0 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:totolink:a3002ru_firmware:1.0.8:*:*:*:*:*:*:*

cpe:2.3:h:totolink:a3002ru:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-11-26 23:29

Updated : 2024-02-04 20:03

NVD link : CVE-2018-13315

Mitre link : CVE-2018-13315

CVE.ORG link : CVE-2018-13315

JSON object : View

Products Affected

totolink

a3002ru_firmware
a3002ru

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2018-13315", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-11-26T23:29:00.453", "references": [{"url": "https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request."}, {"lang": "es", "value": "El control de acceso incorrecto en formPasswordSetup, en la versi\u00f3n 1.0.8 de TOTOLINK A3002RU, permite a los atacantes cambiar la contrase\u00f1a del usuario de administrador mediante una petici\u00f3n POST no autenticada."}], "lastModified": "2018-12-20T15:54:56.367", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:totolink:a3002ru_firmware:1.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3280CDA-877A-4BCE-9919-5A8D58D7EBFC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:totolink:a3002ru:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "21945D3C-27AA-4614-8D5D-C22DE8C56F94"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}