Vulnerabilities > Draytek

DATE CVE VULNERABILITY TITLE RISK
2021-10-13 CVE-2021-20123 Exposure of Resource to Wrong Sphere vulnerability in Draytek Vigorconnect 1.6.0
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint.
network
low complexity
draytek CWE-668
7.8
2021-10-13 CVE-2021-20124 Exposure of Resource to Wrong Sphere vulnerability in Draytek Vigorconnect 1.6.0
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint.
network
low complexity
draytek CWE-668
7.8
2021-10-13 CVE-2021-20125 Unrestricted Upload of File with Dangerous Type vulnerability in Draytek Vigorconnect 1.6.0
An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3.
network
low complexity
draytek CWE-434
critical
10.0
2021-10-13 CVE-2021-20126 Cross-Site Request Forgery (CSRF) vulnerability in Draytek Vigorconnect 1.6.0
Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
network
draytek CWE-352
6.8
2021-10-13 CVE-2021-20127 Unspecified vulnerability in Draytek Vigorconnect 1.6.0
An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3.
network
low complexity
draytek
8.5
2021-10-13 CVE-2021-20128 Cross-site Scripting vulnerability in Draytek Vigorconnect 1.6.0
The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized.
network
draytek CWE-79
3.5
2021-10-13 CVE-2021-20129 Information Exposure Through Log Files vulnerability in Draytek Vigorconnect 1.6.0
An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs.
network
low complexity
draytek CWE-532
5.0
2020-12-31 CVE-2020-19664 Argument Injection or Modification vulnerability in Draytek Vigor2960 Firmware 1.3.1/1.5.1
DrayTek Vigor2960 1.5.1 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi.
network
low complexity
draytek CWE-88
6.5
2020-06-30 CVE-2020-15415 OS Command Injection vulnerability in Draytek products
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.
network
low complexity
draytek CWE-78
7.5
2020-06-24 CVE-2020-14473 Out-of-bounds Write vulnerability in Draytek products
Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1.1.
network
low complexity
draytek CWE-787
7.5