CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31977
https://notcve.org/view.php?id=CVE-2024-31977
24 Jul 2024 — Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.5.5.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility. Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility. • https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyoz • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39345
https://notcve.org/view.php?id=CVE-2024-39345
24 Jul 2024 — AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All of the devices internet interfaces share a similar MAC address that only varies in their final octet. This allows network-adjacent attackers to derive the support user's SSH password by decrementing the final octet of the connected gateway address or via the BSSID. An attacker can then execute arbitrary OS ... • https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-39345 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-259: Use of Hard-coded Password •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31970
https://notcve.org/view.php?id=CVE-2024-31970
24 Jul 2024 — AdTran SRG 834-5 HDC17600021F1 devices (with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1) have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a default username and password combination of admin/admin with root-level privileges. An attacker can exploit this window to gain unauthorized root access by either modifying the existing admin account or creating a new account with equivalent privileges. This vulnerability al... • https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31970 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31971
https://notcve.org/view.php?id=CVE-2024-31971
24 Jul 2024 — Multiple stored cross-site scripting (XSS) vulnerabilities on AdTran NetVanta 3120 18.01.01.00.E devices allow remote attackers to inject arbitrary JavaScript, as demonstrated by /mainPassword.html, /processIdentity.html, /public.html, /dhcp.html, /private.html, /hostname.html, /connectivity.html, /NetworkMonitor.html, /trafficMonitoringConfig.html, and /wizardMain.html. **UNSUPPORTED WHEN ASSIGNED** Multiple stored cross-site scripting (XSS) vulnerabilities on AdTran NetVanta 3120 18.01.01.00.E devices all... • https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31971 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28093
https://notcve.org/view.php?id=CVE-2024-28093
26 Mar 2024 — The TELNET service of AdTran NetVanta 3120 18.01.01.00.E devices is enabled by default, and has default credentials for a root-level account. El servicio TELNET de los dispositivos AdTran NetVanta 3120 18.01.01.00.E está habilitado de forma predeterminada y tiene credenciales predeterminadas para una cuenta de nivel raíz. **UNSUPPORTED WHEN ASSIGNED** The TELNET service of AdTran NetVanta 3120 18.01.01.00.E devices is enabled by default, and has default credentials for a root-level account. • https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-28093 • CWE-1392: Use of Default Credentials •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38120 – Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38120
28 Jul 2023 — Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ping command, which is available over JSON-RPC. A crafted host parameter can trigger execution of a system call composed from a user-supplied string. • https://github.com/warber0x/CVE-2023-38120 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 89%CPEs: 4EXPL: 6CVE-2022-37661 – SmartRG Router SR510n 2.6.13 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-37661
12 Sep 2022 — SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature. Los routers SmartRG SR506n versión 2.5.15 y SR510n versión 2.6.13, son vulnerables a una ejecución de código remota (RCE) por medio de la función ping host SmartRG Router SR510n version 2.6.13 suffers from a remote code execution vulnerability. • https://packetstorm.news/files/id/169816 •
CVSS: 7.5EPSS: 58%CPEs: 3EXPL: 4CVE-2021-25681 – Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration
https://notcve.org/view.php?id=CVE-2021-25681
20 Apr 2021 — AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched El software AdTran Personal Phone Manager versión 10.8.1, es vulnerable a un problema que permite la exfiltración de datos po... • https://packetstorm.news/files/id/162280 •
CVSS: 6.1EPSS: 1%CPEs: 3EXPL: 4CVE-2021-25680 – Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-25680
20 Apr 2021 — The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched El software AdTran Personal Phone Manager es v... • https://packetstorm.news/files/id/162269 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 5CVE-2021-25679 – Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-25679
20 Apr 2021 — The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched El software AdTran Personal Phone Manager... • https://packetstorm.news/files/id/162268 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •