Vulnerabilities > Draytek

DATE CVE VULNERABILITY TITLE RISK
2023-06-01 CVE-2023-33778 Use of Hard-coded Credentials vulnerability in Draytek products
Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account.
network
low complexity
draytek CWE-798
critical
9.8
2023-03-15 CVE-2023-24229 Command Injection vulnerability in Draytek Vigor2960 Firmware 1.5.1.4
DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter.
local
low complexity
draytek CWE-77
7.8
2023-03-03 CVE-2023-23313 Cross-site Scripting vulnerability in Draytek products
Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal.
network
low complexity
draytek CWE-79
6.1
2023-03-03 CVE-2023-1162 Unspecified vulnerability in Draytek Vigor 2960 Firmware 1.5.1.4
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5.
network
low complexity
draytek
8.8
2023-03-03 CVE-2023-1163 Unspecified vulnerability in Draytek Vigor 2960 Firmware 1.5.1.4
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5 and classified as critical.
network
low complexity
draytek
6.5
2023-02-24 CVE-2023-1009 Unspecified vulnerability in Draytek Vigor2960 Firmware 1.5.1.4
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5.
local
low complexity
draytek
5.5
2022-08-29 CVE-2022-32548 Classic Buffer Overflow vulnerability in Draytek products
An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1.
network
low complexity
draytek CWE-120
critical
9.8
2022-03-29 CVE-2021-42911 Use of Externally-Controlled Format String vulnerability in Draytek products
A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY STRING, which could let a remote malicious user execute arbitrary code.
network
low complexity
draytek CWE-134
critical
9.8
2022-03-29 CVE-2021-43118 Command Injection vulnerability in Draytek products
A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING in mainfunction.cgi, which could let a remote malicious user execute arbitrary code.
network
low complexity
draytek CWE-77
critical
9.8
2021-10-22 CVE-2020-28968 Cross-site Scripting vulnerability in Draytek products
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module.
network
low complexity
draytek CWE-79
5.4