Vulnerabilities > Draytek
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-13 | CVE-2021-20123 | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. | 7.5 |
| 2021-10-13 | CVE-2021-20124 | Path Traversal vulnerability in Draytek Vigorconnect 1.6.0 A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. | 7.5 |
| 2021-10-13 | CVE-2021-20125 | Unrestricted Upload of File with Dangerous Type vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. | 9.8 |
| 2021-10-13 | CVE-2021-20126 | Cross-Site Request Forgery (CSRF) vulnerability in Draytek Vigorconnect 1.6.0 Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | 8.8 |
| 2021-10-13 | CVE-2021-20127 | Unspecified vulnerability in Draytek Vigorconnect 1.6.0 An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3. | 8.1 |
| 2021-10-13 | CVE-2021-20128 | Cross-site Scripting vulnerability in Draytek Vigorconnect 1.6.0 The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized. | 5.4 |
| 2021-10-13 | CVE-2021-20129 | Information Exposure Through Log Files vulnerability in Draytek Vigorconnect 1.6.0 An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs. | 7.5 |
| 2020-12-31 | CVE-2020-19664 | OS Command Injection vulnerability in Draytek Vigor2960 Firmware 1.3.1 DrayTek Vigor2960 1.5.1 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi. | 8.8 |
| 2020-06-30 | CVE-2020-15415 | OS Command Injection vulnerability in Draytek products On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472. | 9.8 |
| 2020-06-24 | CVE-2020-14473 | Out-of-bounds Write vulnerability in Draytek products Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1.1. | 9.8 |