Vulnerabilities > Hongdian
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-12 | CVE-2023-49253 | Use of Hard-coded Credentials vulnerability in Hongdian H8951-4G-Esp Firmware Root user password is hardcoded into the device and cannot be changed in the user interface. | 9.8 |
| 2024-01-12 | CVE-2023-49254 | OS Command Injection vulnerability in Hongdian H8951-4G-Esp Firmware Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. | 8.8 |
| 2024-01-12 | CVE-2023-49255 | Missing Authentication for Critical Function vulnerability in Hongdian H8951-4G-Esp Firmware The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. | 9.8 |
| 2024-01-12 | CVE-2023-49256 | Use of Hard-coded Credentials vulnerability in Hongdian H8951-4G-Esp Firmware It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key. | 7.5 |
| 2024-01-12 | CVE-2023-49257 | Incorrect Permission Assignment for Critical Resource vulnerability in Hongdian H8951-4G-Esp Firmware An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges. | 8.8 |
| 2024-01-12 | CVE-2023-49258 | Cross-site Scripting vulnerability in Hongdian H8951-4G-Esp Firmware User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_tool.cgi" in the "data" parameter. | 6.1 |
| 2024-01-12 | CVE-2023-49259 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hongdian H8951-4G-Esp Firmware The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time. | 7.5 |
| 2024-01-12 | CVE-2023-49260 | Cross-site Scripting vulnerability in Hongdian H8951-4G-Esp Firmware An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path. | 6.1 |
| 2024-01-12 | CVE-2023-49261 | Unspecified vulnerability in Hongdian H8951-4G-Esp Firmware The "tokenKey" value used in user authorization is visible in the HTML source of the login page. | 7.5 |
| 2024-01-12 | CVE-2023-49262 | Improper Authentication vulnerability in Hongdian H8951-4G-Esp Firmware The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session. | 9.8 |