# CVE-2021-46009 ## Missing Authentication for Critical Function in Totolink A3100R V5.9c.4577 by KVS * Description Multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies, and an attacker can enable telnet and login to root with a shell. * Affected version Totolink A3100R V5.9c.4577 * Root Cause Analysis a. Session management is not executed well, and pages' source code can be viewed with curl or Burp Suite. b. It lacks an authorization check when you only want to POST a new setting to the target. * Proof-of-Concept {%youtube N3TXrX_63WA %}