Details of VAR-202108-1782

ID

VAR-202108-1782

CVE

CVE-2021-34228

TITLE

TOTOLINK A3002R Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2021-012360

DESCRIPTION

Cross-site scripting in parent_control.htm in TOTOLINK A3002R version V1.1.1-B20200824 (Important Update, new UI) allows attackers to execute arbitrary JavaScript by modifying the "Description" field and "Service Name" field. TOTOLINK A3002R Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. TOTOLINK A3002RU is a wireless router product from Taiwan TOTOLINK Company. There is a cross-site scripting vulnerability in TOTOLINK A3002RU, which is caused by the lack of effective validation of client data in the function of the product to modify the Description and Service Name fields. An attacker could use this vulnerability to execute client-side code

Trust: 2.25

sources: NVD: CVE-2021-34228 // JVNDB: JVNDB-2021-012360 // CNVD: CNVD-2022-06508 // VULMON: CVE-2021-34228

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-06508

AFFECTED PRODUCTS

vendor:	totolink	model:	a3002r	scope:	eq	version:	1.1.1-b20200824	Trust: 1.0
vendor:	totolink	model:	a3002r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002r	scope:	eq	version:	a3002r firmware 1.1.1-b20200824	Trust: 0.8
vendor:	totolink	model:	a3002r 1.1.1-b20200824	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-06508 // JVNDB: JVNDB-2021-012360 // NVD: CVE-2021-34228

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-34228
value:	MEDIUM
Trust: 1.8
CNVD:	CNVD-2022-06508
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-1807
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-34228
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	TRUE
version:	2.0
Trust: 1.0
NVD:	CVE-2021-34228
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9
CNVD:	CNVD-2022-06508
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

NVD:
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-34228
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-06508 // VULMON: CVE-2021-34228 // JVNDB: JVNDB-2021-012360 // NVD: CVE-2021-34228 // CNNVD: CNNVD-202108-1807

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-012360 // NVD: CVE-2021-34228

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-1807

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202108-1807

CONFIGURATIONS

sources: NVD: CVE-2021-34228

PATCH

title:

Top Page

url:

https://www.totolink.net/

Trust: 0.8

sources: JVNDB: JVNDB-2021-012360

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34228	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-012360	Trust: 0.8
db:	CNVD	id:	CNVD-2022-06508	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-1807	Trust: 0.6
db:	VULMON	id:	CVE-2021-34228	Trust: 0.1

sources: CNVD: CNVD-2022-06508 // VULMON: CVE-2021-34228 // JVNDB: JVNDB-2021-012360 // NVD: CVE-2021-34228 // CNNVD: CNNVD-202108-1807

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-34228	Trust: 2.0
url:	https://github.com/pup2y/iotvul/tree/main/totolink/a3002r	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-06508 // VULMON: CVE-2021-34228 // JVNDB: JVNDB-2021-012360 // NVD: CVE-2021-34228 // CNNVD: CNNVD-202108-1807

SOURCES

db:	CNVD	id:	CNVD-2022-06508
db:	VULMON	id:	CVE-2021-34228
db:	JVNDB	id:	JVNDB-2021-012360
db:	NVD	id:	CVE-2021-34228
db:	CNNVD	id:	CNNVD-202108-1807

LAST UPDATE DATE

2023-12-18T13:22:47.703000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-06508	date:	2022-01-25T00:00:00
db:	VULMON	id:	CVE-2021-34228	date:	2021-08-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-012360	date:	2022-08-30T03:26:00
db:	NVD	id:	CVE-2021-34228	date:	2021-08-26T14:27:34.350
db:	CNNVD	id:	CNNVD-202108-1807	date:	2022-03-24T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-06508	date:	2022-01-25T00:00:00
db:	VULMON	id:	CVE-2021-34228	date:	2021-08-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-012360	date:	2022-08-30T00:00:00
db:	NVD	id:	CVE-2021-34228	date:	2021-08-20T17:15:07.647
db:	CNNVD	id:	CNNVD-202108-1807	date:	2021-08-20T00:00:00