Vulnerabilities > Hongdian > H8951 4G ESP Firmware > High

DATE CVE VULNERABILITY TITLE RISK
2024-01-12 CVE-2023-49254 OS Command Injection vulnerability in Hongdian H8951-4G-Esp Firmware
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools.
network
low complexity
hongdian CWE-78
8.8
2024-01-12 CVE-2023-49256 Use of Hard-coded Credentials vulnerability in Hongdian H8951-4G-Esp Firmware
It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key.
network
low complexity
hongdian CWE-798
7.5
2024-01-12 CVE-2023-49257 Incorrect Permission Assignment for Critical Resource vulnerability in Hongdian H8951-4G-Esp Firmware
An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges.
network
low complexity
hongdian CWE-732
8.8
2024-01-12 CVE-2023-49259 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hongdian H8951-4G-Esp Firmware
The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time.
network
low complexity
hongdian CWE-327
7.5
2024-01-12 CVE-2023-49261 Unspecified vulnerability in Hongdian H8951-4G-Esp Firmware
The "tokenKey" value used in user authorization is visible in the HTML source of the login page.
network
low complexity
hongdian
7.5