Vulnerabilities > Zyxel

DATE CVE VULNERABILITY TITLE RISK
2020-06-29 CVE-2020-15314 Use of Hard-coded Credentials vulnerability in Zyxel Cloudcnm Secumanager 3.1.0/3.1.1
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account.
network
high complexity
zyxel CWE-798
5.9
2020-06-29 CVE-2020-15313 Use of Hard-coded Credentials vulnerability in Zyxel Cloudcnm Secumanager 3.1.0/3.1.1
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH key for the root account.
network
high complexity
zyxel CWE-798
5.9
2020-06-29 CVE-2020-15312 Use of Hard-coded Credentials vulnerability in Zyxel Cloudcnm Secumanager 3.1.0/3.1.1
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account.
network
high complexity
zyxel CWE-798
5.9
2020-06-26 CVE-2020-15336 Missing Authentication for Critical Function vulnerability in Zyxel Cloudcnm Secumanager 3.1.0/3.1.1
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests.
network
low complexity
zyxel CWE-306
7.5
2020-06-26 CVE-2020-15335 Missing Authentication for Critical Function vulnerability in Zyxel Cloudcnm Secumanager 3.1.0/3.1.1
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /registerCpe requests.
network
low complexity
zyxel CWE-306
7.5
2020-06-26 CVE-2020-15348 Code Injection vulnerability in Zyxel Cloud CNM Secumanager 3.1.0/3.1.1
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows use of live/CPEManager/AXCampaignManager/delete_cpes_by_ids?cpe_ids= for eval injection of Python code.
network
low complexity
zyxel CWE-94
critical
9.8
2020-06-22 CVE-2020-14461 Path Traversal vulnerability in Zyxel Wap6806 Firmware 1.00(Abal.6)C0
Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversal via the images/eaZy/ URI.
network
low complexity
zyxel CWE-22
8.6
2020-06-08 CVE-2020-12695 Incorrect Default Permissions vulnerability in multiple products
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
7.5
2020-03-31 CVE-2019-13495 Cross-site Scripting vulnerability in Zyxel Xgs2210-52Hp Firmware 4.50
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
network
low complexity
zyxel CWE-79
5.4
2020-03-04 CVE-2020-9054 OS Command Injection vulnerability in Zyxel products
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
network
low complexity
zyxel CWE-78
critical
9.8