Vulnerabilities > Verizon
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-14 | CVE-2022-28369 | Unrestricted Upload of File with Dangerous Type vulnerability in Verizon Lvskihp Indoorunit Firmware 3.4.66.162 Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not validate the user-provided URL within the crtcmode function's enable_ssh sub-operation of the crtcrpc JSON listener (found at /lib/functions/wnc_jsonsh/crtcmode.sh) A remote attacker on the local network can provide a malicious URL. | 9.8 |
| 2022-07-14 | CVE-2022-28370 | Insufficient Verification of Data Authenticity vulnerability in Verizon Lvskihp Outdoorunit Firmware 3.33.101.0 On Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 devices, the RPC endpoint crtc_fw_upgrade provides a means of provisioning a firmware update for the device. | 7.5 |
| 2022-07-14 | CVE-2022-28371 | Use of Hard-coded Credentials vulnerability in Verizon products On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. | 7.5 |
| 2022-07-14 | CVE-2022-28372 | Unrestricted Upload of File with Dangerous Type vulnerability in Verizon products On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via crtc_fw_upgrade or crtcfwimage. | 7.5 |
| 2022-07-14 | CVE-2022-28373 | OS Command Injection vulnerability in Verizon Lvskihp Indoorunit Firmware 3.4.66.162 Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not properly sanitize user-controlled parameters within the crtcreadpartition function of the crtcrpc JSON listener in /usr/lib/lua/luci/crtc.lua. | 9.8 |
| 2022-07-14 | CVE-2022-28374 | OS Command Injection vulnerability in Verizon Lvskihp Outdoorunit Firmware 3.33.101.0 Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the DMACC URLs on the Settings page of the Engineering portal. | 8.8 |
| 2022-07-14 | CVE-2022-28375 | OS Command Injection vulnerability in Verizon Lvskihp Outdoorunit Firmware 3.33.101.0 Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the crtcswitchsimprofile function of the crtcrpc JSON listener. | 9.8 |
| 2022-07-14 | CVE-2022-28377 | Weak Password Requirements vulnerability in Verizon products On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static account username/password for access control. | 7.5 |
| 2022-06-02 | CVE-2022-29729 | Weak Password Requirements vulnerability in Verizon 4G LTE Network Extender Firmware 0.4.038.2131/Ga4.38 Verizon 4G LTE Network Extender GA4.38 - V0.4.038.2131 utilizes a weak default admin password generation algorithm which generates passwords that are accessible to unauthenticated attackers via the webUI login page. | 7.5 |
| 2022-04-03 | CVE-2022-28376 | Improper Authentication vulnerability in Verizon Lvskihp Firmware 20220215 Verizon 5G Home LVSKIHP outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. | 8.1 |