In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.Referenceshttp://a3100r.comhttps://hackmd.io/vS-OfUEzSqqKh8e1PKce5A