CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2019-3918
https://notcve.org/view.php?id=CVE-2019-3918
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 contains multiple hard coded credentials for the Telnet and SSH interfaces. Alcatel Lucent I-240W-Q GPON ONT, con firmware en su versión 3FE54567BOZJ19, contiene múltiples credenciales embebidas para las interfaces Telnet y SSH. • https://www.tenable.com/security/research/tra-2019-09 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 1CVE-2019-3917
https://notcve.org/view.php?id=CVE-2019-3917
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 allows a remote, unauthenticated attacker to enable telnetd on the router via a crafted HTTP request. Alcatel Lucent I-240W-Q GPON ONT, con firmware en su versión 3FE54567BOZJ19, permite que un atacante no autenticado remoto habilite telnetd en el router mediante una petición HTTP manipulada. • https://www.tenable.com/security/research/tra-2019-09 • CWE-306: Missing Authentication for Critical Function CWE-425: Direct Request ('Forced Browsing') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-3920
https://notcve.org/view.php?id=CVE-2019-3920
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to authenticated command injection via crafted HTTP request sent by a remote, authenticated attacker to /GponForm/device_Form?script/. Alcatel Lucent I-240W-Q GPON ONT, con firmware en su versión 3FE54567BOZJ19, es vulnerable a una inyección de comandos autenticada mediante una petición HTTP enviada por un atacante autenticado remoto a /GponForm/device_Form?script/. • https://www.tenable.com/security/research/tra-2019-09 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 4CVE-2019-7386 – Nokia 8810 Denial Of Service
https://notcve.org/view.php?id=CVE-2019-7386
A Denial of Service issue has been discovered in the Gecko component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810 4G devices. When a crafted web page is visited with the internal browser, the Gecko process crashes with a segfault. Successful exploitation could lead to the remote code execution on the device. Se ha descubierto un problema de denegación de servicio (DoS) en el componente Gecko de KaiOS 2.5 10.05 (plataforma 48.0.a2) en dispositivos Nokia 8810 4G. Cuando un sitio web manipulado se visita con el navegador interno, el proceso Gecko se cierra inesperadamente con un segfault. • http://packetstormsecurity.com/files/151651/Nokia-8810-Denial-Of-Service.html http://seclists.org/fulldisclosure/2019/Feb/35 http://www.breakthesec.com http://www.breakthesec.com/search/label/0day https://s3curityb3ast.github.io https://s3curityb3ast.github.io/KSA-Dev-007.md •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2015-6929
https://notcve.org/view.php?id=CVE-2015-6929
Multiple cross-site scripting (XSS) vulnerabilities in Nokia Networks (formerly Nokia Solutions and Networks and Nokia Siemens Networks) @vantage Commander allow remote attackers to inject arbitrary web script or HTML via the (1) idFilter or (2) nameFilter parameter to cftraces/filter/fl_copy.jsp; the (3) flName parameter to cftraces/filter/fl_crea1.jsp; the (4) serchStatus, (5) refreshTime, or (6) serchNode parameter to cftraces/process/pr_show_process.jsp; the (7) MaxActivationTime, (8) NumberOfBytes, (9) NumberOfTracefiles, (10) SessionName, or (11) serchSessionkind parameter to cftraces/session/se_crea.jsp; the (12) serchSessionDescription parameter to cftraces/session/se_show.jsp; the (13) serchApplication or (14) serchApplicationkind parameter to cftraces/session/tr_crea_filter.jsp; the (15) columKeyUnique, (16) columParameter, (17) componentName, (18) criteria1, (19) criteria2, (20) criteria3, (21) description, (22) filter, (23) id, (24) pathName, (25) tableName, or (26) component parameter to cftraces/session/tr_create_tagg_para.jsp; or the (27) userid parameter to home/certificate_association.jsp. Múltiples vulnerabilidades de XSS en Nokia Networks (anteriormente Nokia Solutions y Networks y Nokia Siemens Networks) @vantage Commander permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) idFilter o (2) nameFilter a cftraces/filter/fl_copy.jsp; del parámetro (3) flName a cftraces/filter/fl_crea1.jsp; del parámetro (4) serchStatus, (5) refreshTime, o (6) serchNode a cftraces/process/pr_show_process.jsp; del parámetro (7) MaxActivationTime, (8) NumberOfBytes, (9) NumberOfTracefiles, (10) SessionName, o (11) serchSessionkind a cftraces/session/se_crea.jsp; del parámetro (12) serchSessionDescription a cftraces/session/se_show.jsp; del parámetro (13) serchApplication o (14) serchApplicationkind a cftraces/session/tr_crea_filter.jsp; del parámetro (15) columKeyUnique, (16) columParameter, (17) componentName, (18) criteria1, (19) criteria2, (20) criteria3, (21) description, (22) filter, (23) id, (24) pathName, (25) tableName, o (26) component a cftraces/session/tr_create_tagg_para.jsp; o del parámetro (27) userid a home/certificate_association.jsp. • http://packetstormsecurity.com/files/133538/Nokia-Solutions-And-Networks-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Sep/42 https://drive.google.com/open?id=0B-LWHbwdK3P9eTNKRkdDWGpkN2M • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •