cnvd - cnvd-2025-10916

cnvd-2025-10916

Vulnerability from cnvd

Title: TOTOLINK A3002R跨站脚本漏洞

Description:

TOTOLINK A3002R是中国吉翁电子（TOTOLINK）公司的一款无线路由器。

TOTOLINK A3002R存在跨站脚本漏洞，该漏洞源于组件VPN Page中参数Comment对用户提供的数据缺乏有效过滤与转义，目前没有详细的漏洞细节提供。

Severity: 低

Formal description:

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://www.totolink.net/

Reference: https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/A3002RU_V2/XSS_VPN

Impacted products

Name
TOTOLINK A3002R 2.1.1-B20230720.1011

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-4852",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-4852"
    }
  },
  "description": "TOTOLINK A3002R\u662f\u4e2d\u56fd\u5409\u7fc1\u7535\u5b50\uff08TOTOLINK\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u3002\n\nTOTOLINK A3002R\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7ec4\u4ef6VPN Page\u4e2d\u53c2\u6570Comment\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.totolink.net/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-10916",
  "openTime": "2025-05-28",
  "products": {
    "product": "TOTOLINK A3002R 2.1.1-B20230720.1011"
  },
  "referenceLink": "https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/A3002RU_V2/XSS_VPN",
  "serverity": "\u4f4e",
  "submitTime": "2025-05-22",
  "title": "TOTOLINK A3002R\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2025-4852 (GCVE-0-2025-4852)

Vulnerability from cvelistv5

Published

2025-05-18 03:50

Modified

2025-05-19 14:27

Severity ?

4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2.4 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
2.4 (Low) - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-79 - Cross Site Scripting
CWE-94 - Code Injection

Summary

A vulnerability, which was classified as problematic, has been found in TOTOLINK A3002R 2.1.1-B20230720.1011. This issue affects some unknown processing of the component VPN Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

References

▼	URL	Tags
	https://vuldb.com/?id.309323	vdb-entry, technical-description
	https://vuldb.com/?ctiid.309323	signature, permissions-required
	https://vuldb.com/?submit.575099	third-party-advisory
	https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/A3002RU_V2/XSS_VPN	exploit
	https://www.totolink.net/	product

Impacted products

	Vendor	Product	Version
	TOTOLINK	A3002R	Version: 2.1.1-B20230720.1011

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4852",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T14:27:53.868040Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T14:27:57.265Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/A3002RU_V2/XSS_VPN"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "VPN Page"
          ],
          "product": "A3002R",
          "vendor": "TOTOLINK",
          "versions": [
            {
              "status": "affected",
              "version": "2.1.1-B20230720.1011"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "lcyf-fizz (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as problematic, has been found in TOTOLINK A3002R 2.1.1-B20230720.1011. This issue affects some unknown processing of the component VPN Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in TOTOLINK A3002R 2.1.1-B20230720.1011 entdeckt. Sie wurde als problematisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Komponente VPN Page. Durch die Manipulation des Arguments Comment mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 3.3,
            "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross Site Scripting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-18T03:50:12.393Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309323 | TOTOLINK A3002R VPN Page cross site scripting",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309323"
        },
        {
          "name": "VDB-309323 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309323"
        },
        {
          "name": "Submit #575099 | TOTOLINK A3002RU_V2 V2.1.1-B20230720.1011 Cross Site Scripting",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.575099"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/A3002RU_V2/XSS_VPN"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.totolink.net/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-16T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-16T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-16T17:21:36.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "TOTOLINK A3002R VPN Page cross site scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4852",
    "datePublished": "2025-05-18T03:50:12.393Z",
    "dateReserved": "2025-05-16T15:16:24.767Z",
    "dateUpdated": "2025-05-19T14:27:57.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted