System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows malicious users to execute system commands via the "sambaUser" POST parameter.
totolink a3002ru_firmware 1.0.8