Vulnerabilities > UI
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-07-30 | CVE-2019-5456 | Credentials Management vulnerability in UI Unifi Controller SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use later. | 8.1 |
| 2019-07-10 | CVE-2019-5446 | Command Injection vulnerability in UI Edgeswitch Firmware 1.7.3 Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to execute commands as root. | 7.2 |
| 2019-07-10 | CVE-2019-5445 | Resource Exhaustion vulnerability in UI Edgeswitch Firmware 1.7.3 DoS in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to Crash the SSH CLI interface by using crafted commands. | 4.9 |
| 2019-06-11 | CVE-2010-5330 | Command Injection vulnerability in UI Airos On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. | 9.8 |
| 2019-06-07 | CVE-2018-5264 | Improper Access Control vulnerability in UI Unifi Firmware Ubiquiti UniFi 52 devices, when Hotspot mode is used, allow remote attackers to bypass intended restrictions on "free time" Wi-Fi usage by sending a /guest/s/default/ request to obtain a cookie, and then using this cookie in a /guest/s/default/login request with the byfree parameter. | 5.9 |
| 2019-06-07 | CVE-2018-5265 | OS Command Injection vulnerability in UI Edgeos 1.9.1 Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attackers to execute arbitrary code with admin credentials, because /opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def does not sanitize the 'alias' or 'ips' parameter for shell metacharacters. | 7.2 |
| 2019-06-04 | CVE-2019-12727 | Out-of-bounds Read vulnerability in UI Aircam Firmware 3.1.4 On Ubiquiti airCam 3.1.4 devices, a Denial of Service vulnerability exists in the RTSP Service provided by the ubnt-streamer binary. | 7.5 |
| 2019-05-06 | CVE-2019-5430 | Cross-Site Request Forgery (CSRF) vulnerability in UI Unifi Video In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page. | 8.8 |
| 2019-04-10 | CVE-2019-5426 | Improper Authentication vulnerability in UI Edgeswitch X 1.1.0 In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated user can use the "local port forwarding" and "dynamic port forwarding" (SOCKS proxy) functionalities. | 4.8 |
| 2019-04-10 | CVE-2019-5425 | OS Command Injection vulnerability in UI Edgeswitch X 1.1.0 In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an authenticated user can execute arbitrary shell commands over the SSH interface bypassing the CLI interface, which allow them to escalate privileges to root. | 8.8 |