Details of VAR-202506-0049

ID

VAR-202506-0049

CVE

CVE-2025-5505

TITLE

TOTOLINK of A3002RU Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-007279

DESCRIPTION

A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011 and classified as problematic. This issue affects some unknown processing of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of A3002RU The firmware contains cross-site scripting and code injection vulnerabilities.Information may be tampered with. TOTOLINK A3002RU is a wireless router product of China's TOTOLINK Electronics. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2025-5505 // JVNDB: JVNDB-2025-007279 // CNVD: CNVD-2025-12125

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-12125

AFFECTED PRODUCTS

vendor:	totolink	model:	a3002ru	scope:	eq	version:	2.1.1-b20230720.1011	Trust: 1.0
vendor:	totolink	model:	a3002ru	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002ru	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002ru	scope:	eq	version:	a3002ru firmware 2.1.1-b20230720.1011	Trust: 0.8
vendor:	totolink	model:	a3002ru 2.1.1-b20230720.1011	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-12125 // JVNDB: JVNDB-2025-007279 // NVD: CVE-2025-5505

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-5505
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-007279
value:	LOW
Trust: 0.8
CNVD:	CNVD-2025-12125
value:	LOW
Trust: 0.6

cna@vuldb.com:	CVE-2025-5505
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-007279
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-12125
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-5505
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-007279
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-12125 // JVNDB: JVNDB-2025-007279 // NVD: CVE-2025-5505

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.0
problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8
problemtype:	Code injection (CWE-94) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-007279 // NVD: CVE-2025-5505

EXTERNAL IDS

db:	NVD	id:	CVE-2025-5505	Trust: 3.2
db:	VULDB	id:	310919	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-007279	Trust: 0.8
db:	CNVD	id:	CNVD-2025-12125	Trust: 0.6

sources: CNVD: CNVD-2025-12125 // JVNDB: JVNDB-2025-007279 // NVD: CVE-2025-5505

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/a3002ru_v2/xss_virtual_server	Trust: 2.4
url:	https://vuldb.com/?id.310919	Trust: 1.8
url:	https://vuldb.com/?submit.584662	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?ctiid.310919	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-5505	Trust: 0.8

sources: CNVD: CNVD-2025-12125 // JVNDB: JVNDB-2025-007279 // NVD: CVE-2025-5505

SOURCES

db:	CNVD	id:	CNVD-2025-12125
db:	JVNDB	id:	JVNDB-2025-007279
db:	NVD	id:	CVE-2025-5505

LAST UPDATE DATE

2025-06-20T23:20:59.213000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-12125	date:	2025-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2025-007279	date:	2025-06-19T07:10:00
db:	NVD	id:	CVE-2025-5505	date:	2025-06-17T20:40:34.987

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-12125	date:	2025-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2025-007279	date:	2025-06-19T00:00:00
db:	NVD	id:	CVE-2025-5505	date:	2025-06-03T15:16:00.717