Details of VAR-202505-1839

ID

VAR-202505-1839

CVE

CVE-2025-4852

TITLE

TOTOLINK of A3002R Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-006256

DESCRIPTION

A vulnerability, which was classified as problematic, has been found in TOTOLINK A3002R 2.1.1-B20230720.1011. This issue affects some unknown processing of the component VPN Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of A3002R Firmware has a cross-site scripting vulnerability.Information may be tampered with. TOTOLINK A3002R is a wireless router from China's TOTOLINK Electronics. TOTOLINK A3002R has a cross-site scripting vulnerability, which is caused by the lack of effective filtering and escaping of user-provided data in the parameter Comment in the component VPN Page. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2025-4852 // JVNDB: JVNDB-2025-006256 // CNVD: CNVD-2025-10916

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-10916

AFFECTED PRODUCTS

vendor:	totolink	model:	a3002r	scope:	eq	version:	2.1.1-b20230720.1011	Trust: 1.0
vendor:	totolink	model:	a3002r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002r	scope:	eq	version:	a3002r firmware 2.1.1-b20230720.1011	Trust: 0.8
vendor:	totolink	model:	a3002r 2.1.1-b20230720.1011	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-10916 // JVNDB: JVNDB-2025-006256 // NVD: CVE-2025-4852

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-4852
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2025-4852
value:	LOW
Trust: 1.0
OTHER:	JVNDB-2025-006256
value:	LOW
Trust: 0.8
CNVD:	CNVD-2025-10916
value:	LOW
Trust: 0.6

cna@vuldb.com:	CVE-2025-4852
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-006256
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-10916
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-4852
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-4852
baseSeverity:	LOW
baseScore:	3.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	JVNDB-2025-006256
baseSeverity:	LOW
baseScore:	3.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-10916 // JVNDB: JVNDB-2025-006256 // NVD: CVE-2025-4852 // NVD: CVE-2025-4852

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	CWE-94	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8
problemtype:	Code injection (CWE-94) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-006256 // NVD: CVE-2025-4852

EXTERNAL IDS

db:	NVD	id:	CVE-2025-4852	Trust: 3.2
db:	VULDB	id:	309323	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-006256	Trust: 0.8
db:	CNVD	id:	CNVD-2025-10916	Trust: 0.6

sources: CNVD: CNVD-2025-10916 // JVNDB: JVNDB-2025-006256 // NVD: CVE-2025-4852

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/a3002ru_v2/xss_vpn	Trust: 2.4
url:	https://vuldb.com/?id.309323	Trust: 1.8
url:	https://vuldb.com/?submit.575099	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?ctiid.309323	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-4852	Trust: 0.8

sources: CNVD: CNVD-2025-10916 // JVNDB: JVNDB-2025-006256 // NVD: CVE-2025-4852

SOURCES

db:	CNVD	id:	CNVD-2025-10916
db:	JVNDB	id:	JVNDB-2025-006256
db:	NVD	id:	CVE-2025-4852

LAST UPDATE DATE

2025-06-06T23:30:50.279000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-10916	date:	2025-05-28T00:00:00
db:	JVNDB	id:	JVNDB-2025-006256	date:	2025-06-05T01:56:00
db:	NVD	id:	CVE-2025-4852	date:	2025-06-04T20:10:34.490

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-10916	date:	2025-05-28T00:00:00
db:	JVNDB	id:	JVNDB-2025-006256	date:	2025-06-05T00:00:00
db:	NVD	id:	CVE-2025-4852	date:	2025-05-18T04:15:28.157