Lucene search

[email protected]NVD:CVE-2023-48859

HistoryDec 06, 2023 - 3:15 p.m.

CVE-2023-48859

2023-12-0615:15:06

CWE-863

[email protected]

web.nvd.nist.gov

totolink a3002ru

post-authentication

rce

access control

security restrictions

arbitrary code

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

52.2%

JSON

TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code.

Affected configurations

Nvd

Node

totolinka3002ruMatch-

AND

totolinka3002ru_firmwareMatch2.0.0-b20190902.1958

VendorProductVersionCPE
totolinka3002ru-cpe:2.3:h:totolink:a3002ru:-:*:*:*:*:*:*:*
totolinka3002ru_firmware2.0.0-b20190902.1958cpe:2.3:o:totolink:a3002ru_firmware:2.0.0-b20190902.1958:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
totolink	a3002ru	-	cpe:2.3:h:totolink:a3002ru:-:::::::*
totolink	a3002ru_firmware	2.0.0-b20190902.1958	cpe:2.3:o:totolink:a3002ru_firmware:2.0.0-b20190902.1958:::::::*

References

github.com/xieqiang11/security_research/blob/main/TOTOLINK-A3002RU-RCE.md

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

52.2%

JSON

Related for NVD:CVE-2023-48859

prion1 cvelist1 cve1