Details of VAR-202506-0055

ID

VAR-202506-0055

CVE

CVE-2025-5506

TITLE

TOTOLINK of A3002RU Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-007248

DESCRIPTION

A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been classified as problematic. Affected is an unknown function of the component NAT Mapping Page. The manipulation of the argument Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of A3002RU The firmware contains cross-site scripting and code injection vulnerabilities.Information may be obtained and information may be tampered with. TOTOLINK A3002RU is a wireless router product of China's Jiong Electronics (TOTOLINK) Company. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2025-5506 // JVNDB: JVNDB-2025-007248 // CNVD: CNVD-2025-12124

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-12124

AFFECTED PRODUCTS

vendor:	totolink	model:	a3002ru	scope:	eq	version:	2.1.1-b20230720.1011	Trust: 1.0
vendor:	totolink	model:	a3002ru	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002ru	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	a3002ru	scope:	eq	version:	a3002ru firmware 2.1.1-b20230720.1011	Trust: 0.8
vendor:	totolink	model:	a3002ru 2.1.1-b20230720.1011	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-12124 // JVNDB: JVNDB-2025-007248 // NVD: CVE-2025-5506

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-5506
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2025-5506
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-007248
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2025-12124
value:	LOW
Trust: 0.6

cna@vuldb.com:	CVE-2025-5506
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-007248
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-12124
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-5506
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-5506
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2025-007248
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-12124 // JVNDB: JVNDB-2025-007248 // NVD: CVE-2025-5506 // NVD: CVE-2025-5506

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.0
problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8
problemtype:	Code injection (CWE-94) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-007248 // NVD: CVE-2025-5506

EXTERNAL IDS

db:	NVD	id:	CVE-2025-5506	Trust: 3.2
db:	VULDB	id:	310920	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-007248	Trust: 0.8
db:	CNVD	id:	CNVD-2025-12124	Trust: 0.6

sources: CNVD: CNVD-2025-12124 // JVNDB: JVNDB-2025-007248 // NVD: CVE-2025-5506

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/a3002ru_v2/xss_nat_mapping	Trust: 2.4
url:	https://vuldb.com/?id.310920	Trust: 1.8
url:	https://vuldb.com/?submit.584663	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?ctiid.310920	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-5506	Trust: 0.8

sources: CNVD: CNVD-2025-12124 // JVNDB: JVNDB-2025-007248 // NVD: CVE-2025-5506

SOURCES

db:	CNVD	id:	CNVD-2025-12124
db:	JVNDB	id:	JVNDB-2025-007248
db:	NVD	id:	CVE-2025-5506

LAST UPDATE DATE

2025-06-20T23:14:13.534000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-12124	date:	2025-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2025-007248	date:	2025-06-19T05:23:00
db:	NVD	id:	CVE-2025-5506	date:	2025-06-17T20:40:41.663

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-12124	date:	2025-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2025-007248	date:	2025-06-19T00:00:00
db:	NVD	id:	CVE-2025-5506	date:	2025-06-03T15:16:00.897