Totolink X2000r Firmware

TOTOLINK X2000R Device Name XSS on Parent Controls (v1.0.0-B20230726.1108)
CVE-2025-5543 4.8 - Medium - June 03, 2025

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Parent Controls Page. The manipulation of the argument Device Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

XSS

TOTOLINK X2000R XSS via service_type in Virtual Server (v1.0.0-B20230726.1108)
CVE-2025-5542 4.8 - Medium - June 03, 2025

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been classified as problematic. Affected is an unknown function of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

XSS

TOTOLINK X2000R 1.0.0 CmdInject via devicemac1 (remote)
CVE-2025-5515 6.3 - Medium - June 03, 2025

A vulnerability, which was classified as critical, has been found in TOTOLINK X2000R 1.0.0-B20230726.1108. Affected by this issue is some unknown functionality of the file /boafrm/formMapDel. The manipulation of the argument devicemac1 leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection

TOTOLINK X2000R 1.0.0-B20230726.1108 XSS via URL Filtering
CVE-2025-5516 4.8 - Medium - June 03, 2025

A vulnerability, which was classified as problematic, was found in TOTOLINK X2000R 1.0.0-B20230726.1108. This affects an unknown part of the file /boafrm/formFilter of the component URL Filtering Page. The manipulation of the argument URL Address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS

CRIT Remote Cmd Inject in TOTOLINK X2000R 1.0.0 via /boafrm/formWsc
CVE-2025-5504 6.3 - Medium - June 03, 2025

A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. The manipulation of the argument peerRptPin leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection

CVE-2024-33433 XSS in TOTOLINK X2000R Guest Access before v1.0.0-B20231213.1013
CVE-2024-33433 - May 14, 2024

Cross Site Scripting vulnerability in TOTOLINK X2000R before v1.0.0-B20231213.1013 allows a remote attacker to execute arbitrary code via the Guest Access Control parameter in the Wireless Page.

Stored XSS in Firewall IP/Port Filtering on TOTOLINK X2000R V <1.0.0-B20231213.1013
CVE-2024-28402 - April 11, 2024

TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in IP/Port Filtering under the Firewall Page.

XSS in Wireless Settings of TOTOLINK X2000R <v1.0.0-B20231213.1013
CVE-2024-29419 5.4 - Medium - March 20, 2024

There is a Cross-site scripting (XSS) vulnerability in the Wireless settings under the Easy Setup Page of TOTOLINK X2000R before v1.0.0-B20231213.1013.

XSS

TOTOLINK X2000R XSS in Firewall MAC Filtering (pre V1.0.0-B20231213.1013)
CVE-2024-28404 - March 15, 2024

TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page.

TOTOLINK X2000R XSS via Wireless Root Access Control (before v1.0.0-B20231213.1013)
CVE-2024-28401 5.4 - Medium - March 15, 2024

TOTOLINK X2000R before v1.0.0-B20231213.1013 contains a Store Cross-site scripting (XSS) vulnerability in Root Access Control under the Wireless Page.

XSS

TOTOLINK X2000R <V1.0.0-B20231213.1013 XSS via VPN Page
CVE-2024-28403 5.4 - Medium - March 15, 2024

TOTOLINK X2000R before V1.0.0-B20231213.1013 is vulnerable to Cross Site Scripting (XSS) via the VPN Page.

XSS

Command Injection in /bin/boa on TOTOLINK X2000R_V2 V2.0.0-
CVE-2024-22529 9.8 - Critical - January 25, 2024

TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa.

Command Injection

Totolink X2000R 1.0.0 Command Injection via formMapDelDevice
CVE-2024-0579 9.8 - Critical - January 16, 2024

A vulnerability classified as critical was found in Totolink X2000R 1.0.0-B20221212.1452. Affected by this vulnerability is the function formMapDelDevice of the file /boafrm/formMapDelDevice. The manipulation of the argument macstr leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46541 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formIpv6Setup.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46540 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formNtp.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46564 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formDMZ.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46542 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formMeshUploadConfig.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46543 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formWlSiteSurvey.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46544 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formWirelessTbl.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46552 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formMultiAP.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46553 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formParentControl.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46554 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formMapDel.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46555 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formPortFw.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46556 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formFilter.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46557 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formMultiAPVLAN.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46558 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formMapDelDevice.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46559 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formIPv6Addr.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46560 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formTcpipSetup.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46562 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formDosCfg.

Memory Corruption

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow
CVE-2023-46563 9.8 - Critical - October 25, 2023

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formIpQoS.

Memory Corruption