Vulnerabilities > Draytek
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-24 | CVE-2023-1009 | Path Traversal vulnerability in Draytek Vigor2960 Firmware 1.5.1.4 ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. | 5.5 |
| 2022-03-29 | CVE-2021-42911 | Use of Externally-Controlled Format String vulnerability in Draytek products A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY STRING, which could let a remote malicious user execute arbitrary code. | 7.5 |
| 2022-03-29 | CVE-2021-43118 | Command Injection vulnerability in Draytek products A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING in mainfunction.cgi, which could let a remote malicious user execute arbitrary code. | 7.5 |
| 2021-10-22 | CVE-2020-28968 | Cross-site Scripting vulnerability in Draytek products Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. | 3.5 |
| 2021-10-13 | CVE-2021-20123 | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. | 7.5 |
| 2021-10-13 | CVE-2021-20124 | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. | 7.5 |
| 2021-10-13 | CVE-2021-20125 | Unrestricted Upload of File with Dangerous Type vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. | 10.0 |
| 2021-10-13 | CVE-2021-20126 | Cross-Site Request Forgery (CSRF) vulnerability in Draytek Vigorconnect 1.6.0 Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | 6.8 |
| 2021-10-13 | CVE-2021-20127 | Unspecified vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3. | 8.5 |
| 2021-10-13 | CVE-2021-20128 | Cross-site Scripting vulnerability in Draytek Vigorconnect 1.6.0 The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized. | 3.5 |