Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows malicious users to execute arbitrary JavaScript via the user's password.
totolink a3002ru_firmware 1.0.8