This time, a fresh instance of software vulnerabilities has been reported by TOTOLINK. TOTOLINK, established in 2017, according to their official website “is a global provider of reliable 4G LTE and 5G network devices and solutions!” TOTOLINK is owned by Hong Kong-based Zioncom Holdings Limited, which is a holding group that focuses on network communication products like wireless routers, adapters, switching equipment, and more.
The Totolink Software Vulnerability
On August 21st, 2021 a software vulnerability report was released on the public CVE (Common Vulnerabilities and Exposures) database detailing multiple vulnerabilities in TOTOLINK devices. The vulnerabilities can lead to a remote attack by a malicious user and ultimately compromise of a vulnerable system. The CVE ID code for this software vulnerability is CVE-2021-34228.
Technical Details
The software vulnerabilities concern the TOTOLINK A3002R ‘Super Speed’ Wireless Dual Band Gigabit Router. These security flaws were found in TOTOLINK A3002R 1.1.1-B20200824 and classified as problematic. These issues affect an unknown function of the file parent_control.htm. The manipulation of the argument Description/ServiceName with an unknown input leads to a cross-site scripting vulnerability. Codes from the files tcpipwan.htm, tr069config.htm, and ddns.htm belonging to the router’s software are vulnerable. The advisory has been shared on GitHub, and the security flaw has been confirmed as easily exploitable by a remote attacker via a simple authentication method (user interaction.) An attacker can easily execute arbitrary JavaScript by modifying segments of the software code.
Affected Software Versions
The affected product and software version in question is the TOTOLINK A3002R 1.1.1-B20200824.
Important User Information
As of right now, there is no fix for these present vulnerabilities. Users of the TOTOLINK A3002R should visit the downloads page for any security updates. Alternatively, it is highly recommended that users contact TOTOLINK on their contact page for additional information about these software vulnerabilities.
