CVE-2018-13313: Admin Password returned in password.htm
First published: Mon Feb 24 2020(Updated: )
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript contains the current user’s password in plaintext.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Totolink A3002ru Firmware | =1.0.8 | |
| TOTOLINK A3002RU |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-13313?
CVE-2018-13313 is a vulnerability found in TOTOLINK A3002RU 1.0.8 router firmware.
What is the severity of CVE-2018-13313?
The severity of CVE-2018-13313 is medium with a severity score of 6.5.
How does CVE-2018-13313 affect TOTOLINK A3002RU 1.0.8?
CVE-2018-13313 allows an attacker to bypass the password change confirmation mechanism and change the account name and password.
Is TOTOLINK A3002RU 1.0.8 the only affected version?
Yes, TOTOLINK A3002RU 1.0.8 is the only affected version.
How can I fix CVE-2018-13313?
There is no official fix available for CVE-2018-13313 at the moment. It is recommended to update to the latest firmware version provided by TOTOLINK when it becomes available.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/totolink
- canonical/totolink a3002ru firmware
- version/totolink a3002ru firmware/1.0.8
- canonical/totolink a3002ru