Vulnerabilities > Draytek

DATE CVE VULNERABILITY TITLE RISK
2020-03-26 CVE-2020-10823 Out-of-bounds Write vulnerability in Draytek products
A stack-based buffer overflow in /cgi-bin/activate.cgi through var parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 1 of 3).
network
low complexity
draytek CWE-787
7.5
7.5
2020-02-01 CVE-2020-8515 OS Command Injection vulnerability in Draytek products
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
network
low complexity
draytek CWE-78
critical
 9.8
9.8
2019-09-20 CVE-2019-16534 Cross-site Scripting vulnerability in Draytek Vigor2925 Firmware 3.8.4.3
On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen.
network
draytek CWE-79
4.3
4.3
2019-09-20 CVE-2019-16533 Cross-site Scripting vulnerability in Draytek Vigor2925 Firmware 3.8.4.3
On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS.
network
draytek CWE-79
4.3
4.3
2018-03-07 CVE-2017-11650 Cross-site Scripting vulnerability in Draytek Vigorap 910C Firmware 1.2.0
Cross-site scripting (XSS) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to inject arbitrary web script or HTML via vectors involving home.asp.
network
draytek CWE-79
4.3
4.3
2018-03-07 CVE-2017-11649 Cross-Site Request Forgery (CSRF) vulnerability in Draytek Vigorap 910C Firmware 1.2.0
Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to hijack the authentication of unspecified users for requests that enable SNMP on the remote device via vectors involving goform/setSnmp.
network
draytek CWE-352
6.8
6.8
2013-10-22 CVE-2013-5703 OS Command Injection vulnerability in Draytek Vigor 2700 Router and Vigor 2700 Router Firmware
The DrayTek Vigor 2700 router 2.8.3 allows remote attackers to execute arbitrary JavaScript code, and modify settings or the DNS cache, via a crafted SSID value that is not properly handled during insertion into the sWlessSurvey value in variables.js.
network
draytek CWE-78
6.8
6.8