Vulnerabilities > Hongdian > H8951 4G ESP Firmware

DATE CVE VULNERABILITY TITLE RISK
2024-01-12 CVE-2023-49253 Use of Hard-coded Credentials vulnerability in Hongdian H8951-4G-Esp Firmware
Root user password is hardcoded into the device and cannot be changed in the user interface.
network
low complexity
hongdian CWE-798
critical
9.8
2024-01-12 CVE-2023-49254 OS Command Injection vulnerability in Hongdian H8951-4G-Esp Firmware
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools.
network
low complexity
hongdian CWE-78
8.8
2024-01-12 CVE-2023-49255 Missing Authentication for Critical Function vulnerability in Hongdian H8951-4G-Esp Firmware
The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared.
network
low complexity
hongdian CWE-306
critical
9.8
2024-01-12 CVE-2023-49256 Use of Hard-coded Credentials vulnerability in Hongdian H8951-4G-Esp Firmware
It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key.
network
low complexity
hongdian CWE-798
7.5
2024-01-12 CVE-2023-49257 Incorrect Permission Assignment for Critical Resource vulnerability in Hongdian H8951-4G-Esp Firmware
An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges.
network
low complexity
hongdian CWE-732
8.8
2024-01-12 CVE-2023-49258 Cross-site Scripting vulnerability in Hongdian H8951-4G-Esp Firmware
User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_tool.cgi" in the "data" parameter.
network
low complexity
hongdian CWE-79
6.1
2024-01-12 CVE-2023-49259 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hongdian H8951-4G-Esp Firmware
The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time.
network
low complexity
hongdian CWE-327
7.5
2024-01-12 CVE-2023-49260 Cross-site Scripting vulnerability in Hongdian H8951-4G-Esp Firmware
An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path.
network
low complexity
hongdian CWE-79
6.1
2024-01-12 CVE-2023-49261 Unspecified vulnerability in Hongdian H8951-4G-Esp Firmware
The "tokenKey" value used in user authorization is visible in the HTML source of the login page.
network
low complexity
hongdian
7.5
2024-01-12 CVE-2023-49262 Improper Authentication vulnerability in Hongdian H8951-4G-Esp Firmware
The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session.
network
low complexity
hongdian CWE-287
critical
9.8