Vulnerabilities > Draytek
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-29 | CVE-2021-43118 | Command Injection vulnerability in Draytek products A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING in mainfunction.cgi, which could let a remote malicious user execute arbitrary code. | 7.5 |
2021-10-22 | CVE-2020-28968 | Cross-site Scripting vulnerability in Draytek products Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. | 3.5 |
2021-10-13 | CVE-2021-20123 | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. | 7.8 |
2021-10-13 | CVE-2021-20124 | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. | 7.8 |
2021-10-13 | CVE-2021-20125 | Unrestricted Upload of File with Dangerous Type vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. | 10.0 |
2021-10-13 | CVE-2021-20126 | Cross-Site Request Forgery (CSRF) vulnerability in Draytek Vigorconnect 1.6.0 Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | 6.8 |
2021-10-13 | CVE-2021-20127 | Unspecified vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3. | 8.5 |
2021-10-13 | CVE-2021-20128 | Cross-site Scripting vulnerability in Draytek Vigorconnect 1.6.0 The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized. | 3.5 |
2021-10-13 | CVE-2021-20129 | Information Exposure Through Log Files vulnerability in Draytek Vigorconnect 1.6.0 An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs. | 5.0 |
2020-12-31 | CVE-2020-19664 | OS Command Injection vulnerability in Draytek Vigor2960 Firmware 1.3.1 DrayTek Vigor2960 1.5.1 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi. | 8.8 |