CVE-2024-5196 – Arris VAP2500 tools_command.php command injection
https://notcve.org/view.php?id=CVE-2024-5196
A vulnerability classified as critical has been found in Arris VAP2500 08.50. This affects an unknown part of the file /tools_command.php. The manipulation of the argument cmb_header/txt_command leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/a%2B%26%5BE4%3Flp5%3Fk9_%3D%5D/ARRIS_VAP2500-RCE-tools_command.php.pdf https://vuldb.com/?ctiid.265833 https://vuldb.com/?id.265833 https://vuldb.com/?submit.335254 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-5195 – Arris VAP2500 diag_s.php command injection
https://notcve.org/view.php?id=CVE-2024-5195
A vulnerability was found in Arris VAP2500 08.50. It has been rated as critical. Affected by this issue is some unknown functionality of the file /diag_s.php. The manipulation of the argument customer_info leads to command injection. The attack may be launched remotely. • https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/a%2B%26%5BE4%3Flp5%3Fk9_%3D%5D/ARRIS_VAP2500-RCE-diag_s.php.pdf https://vuldb.com/?ctiid.265832 https://vuldb.com/?id.265832 https://vuldb.com/?submit.335253 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-5194 – Arris VAP2500 assoc_table.php command injection
https://notcve.org/view.php?id=CVE-2024-5194
A vulnerability was found in Arris VAP2500 08.50. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /assoc_table.php. The manipulation of the argument id leads to command injection. The attack can be launched remotely. • https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/a%2B%26%5BE4%3Flp5%3Fk9_%3D%5D/ARRIS_VAP2500-RCE-assoc_table.php.pdf https://vuldb.com/?ctiid.265831 https://vuldb.com/?id.265831 https://vuldb.com/?submit.335252 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2014-8425 – ARRIS VAP2500 Management Portal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-8425
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files. El portal de gestión en ARRIS VAP2500 anterior a FW08.41 permite a atacantes remotos obtener credenciales mediante la lectura de ficheros de configuración. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of access to the management portal. The issue lies in the failure to restrict access to configuration files. • https://www.exploit-db.com/exploits/35372 http://www.zerodayinitiative.com/advisories/ZDI-14-387 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-8423 – ARRIS VAP2500 Management Portal Remote Command Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-8423
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors. Vulnerabilidad no especificada en el portal de gestión en ARRIS VAP2500 anterior a FW08.41 permite a atacantes remotos ejecutar comandos arbitrarios a través de vectores desconocidos. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of access to the management portal. The issue lies in the ability to execute arbitrary commands without any sanitization. • https://www.exploit-db.com/exploits/35372 http://www.zerodayinitiative.com/advisories/ZDI-14-389 http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/vap2500_tools_command_exec.rb • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •