Details of VAR-202506-0049

ID

VAR-202506-0049

CVE

CVE-2025-5505

TITLE

TOTOLINK A3002RU Virtual Server Page Component Cross-Site Scripting Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-12125

DESCRIPTION

A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011 and classified as problematic. This issue affects some unknown processing of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK A3002RU is a wireless router product of China's TOTOLINK Electronics. No detailed vulnerability details are currently provided

Trust: 1.44

sources: NVD: CVE-2025-5505 // CNVD: CNVD-2025-12125

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-12125

AFFECTED PRODUCTS

vendor:

totolink

model:

a3002ru 2.1.1-b20230720.1011

scope:

version:

Trust: 0.6

sources: CNVD: CNVD-2025-12125

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-5505
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2025-12125
value:	LOW
Trust: 0.6

cna@vuldb.com:	CVE-2025-5505
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2025-12125
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-5505
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-12125 // NVD: CVE-2025-5505

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	CWE-94	Trust: 1.0

sources: NVD: CVE-2025-5505

EXTERNAL IDS

db:	NVD	id:	CVE-2025-5505	Trust: 1.6
db:	VULDB	id:	310919	Trust: 1.0
db:	CNVD	id:	CNVD-2025-12125	Trust: 0.6

sources: CNVD: CNVD-2025-12125 // NVD: CVE-2025-5505

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/a3002ru_v2/xss_virtual_server	Trust: 1.6
url:	https://vuldb.com/?ctiid.310919	Trust: 1.0
url:	https://www.totolink.net/	Trust: 1.0
url:	https://vuldb.com/?submit.584662	Trust: 1.0
url:	https://vuldb.com/?id.310919	Trust: 1.0

sources: CNVD: CNVD-2025-12125 // NVD: CVE-2025-5505

SOURCES

db:	CNVD	id:	CNVD-2025-12125
db:	NVD	id:	CVE-2025-5505

LAST UPDATE DATE

2025-06-14T23:05:13.524000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-12125	date:	2025-06-11T00:00:00
db:	NVD	id:	CVE-2025-5505	date:	2025-06-04T14:54:33.783

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-12125	date:	2025-06-11T00:00:00
db:	NVD	id:	CVE-2025-5505	date:	2025-06-03T15:16:00.717