Vulnerabilities > Buffalo > Ts5600D1206 Firmware

DATE CVE VULNERABILITY TITLE RISK
2018-11-26 CVE-2018-13324 Incorrect Authorization vulnerability in Buffalo Ts5600D1206 Firmware 3.610.10
Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header.
network
low complexity
buffalo CWE-863
7.5
2018-11-26 CVE-2018-13323 Cross-site Scripting vulnerability in Buffalo Ts5600D1206 Firmware 3.610.10
Cross-site scripting in detail.html in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute JavaScript via the "username" cookie.
network
buffalo CWE-79
4.3
2018-11-26 CVE-2018-13322 Path Traversal vulnerability in Buffalo Ts5600D1206 Firmware 3.610.10
Directory traversal in list_folders method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to list directory contents via the "path" parameter.
network
low complexity
buffalo CWE-22
4.0
2018-11-26 CVE-2018-13321 Incorrect Permission Assignment for Critical Resource vulnerability in Buffalo Ts5600D1206 Firmware 3.610.10
Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter.
network
low complexity
buffalo CWE-732
6.5
2018-11-26 CVE-2018-13320 OS Command Injection vulnerability in Buffalo Ts5600D1206 Firmware 3.610.10
System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters.
network
low complexity
buffalo CWE-78
6.5
2018-11-26 CVE-2018-13319 Information Exposure vulnerability in Buffalo Ts5600D1206 Firmware 3.610.10
Incorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request.
network
low complexity
buffalo CWE-200
5.0
2018-11-26 CVE-2018-13318 OS Command Injection vulnerability in Buffalo Ts5600D1206 Firmware 3.610.10
System command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the "name" parameter.
network
low complexity
buffalo CWE-78
6.5