System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows malicious users to execute system commands via the "ipAddr" POST parameter.
totolink a3002ru_firmware 1.0.8