CVSS: 9.0EPSS: 36%CPEs: 4EXPL: 1CVE-2017-5255 – Cambium ePMP1000 - 'get_chart' Shell via Command Injection
https://notcve.org/view.php?id=CVE-2017-5255
20 Dec 2017 — In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root. En versiones de firmware 3.5 y anteriores de Cambium Networks ePMP, la falta de saneamiento de valores de entrada para determinados paráme... • https://www.exploit-db.com/exploits/43413 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 1CVE-2017-5258
https://notcve.org/view.php?id=CVE-2017-5258
20 Dec 2017 — In version 3.5 and prior of Cambium Networks ePMP firmware, an attacker who knows or can guess the RW community string can provide a URL for a configuration file over SNMP with XSS strings in certain SNMP OIDs, serve it via HTTP, and the affected device will perform a configuration restore using the attacker's supplied config file, including the inserted XSS strings. En versiones de firmware 3.5 y anteriores de Cambium Networks ePMP, un atacante que sepa o adivine la cadena de comunidad RW (lectura y escrit... • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 10EXPL: 0CVE-2017-5260 – Cambium CnPilot R200/r201 Login Scanner And Config Dump
https://notcve.org/view.php?id=CVE-2017-5260
20 Dec 2017 — In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuration file is accessible via direct object reference (DRO) at http://
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-5257
https://notcve.org/view.php?id=CVE-2017-5257
20 Dec 2017 — In version 3.5 and prior of Cambium Networks ePMP firmware, an attacker who knows (or guesses) the SNMP read/write (RW) community string can insert XSS strings in certain SNMP OIDs which will execute in the context of the currently-logged on user. En versiones de firmware 3.5 y anteriores de Cambium Networks ePMP, un atacante que sepa o adivine la cadena de comunidad RW (lectura y escritura) SNMP podría insertar cadenas XSS en determinados OID SNMP que se ejecutarían en el contexto del usuario actualmente c... • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 10EXPL: 0CVE-2017-5262 – Cambium CnPilot R200/r201 SNMP Enumeration
https://notcve.org/view.php?id=CVE-2017-5262
20 Dec 2017 — In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, the SNMP read-only (RO) community string has access to sensitive information by OID reference. En versiones de firmware 4.3 2-R4 y anteriores de Cambium Networks cnPilot, la cadena de comunidad de solo lectura SNMP tiene acceso a información sensible por referencia OID. • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.0EPSS: 0%CPEs: 10EXPL: 0CVE-2017-5263
https://notcve.org/view.php?id=CVE-2017-5263
20 Dec 2017 — Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack CSRF controls that can mitigate the effects of CSRF attacks, which are most typically implemented as randomized per-session tokens associated with any web application function, especially destructive ones. En versiones de firmware 4.3 2-R4 y anteriores de Cambium Networks cnPilot, no tiene controles Cross-Site Request Forgery (CSRF) que puedan mitigar los efectos de los ataques CSRF, los cuales se suelen implementar como tokens pre-sesión... • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-5256
https://notcve.org/view.php?id=CVE-2017-5256
20 Dec 2017 — In version 3.5 and prior of Cambium Networks ePMP firmware, all authenticated users have the ability to update the Device Name and System Description fields in the web administration console, and those fields are vulnerable to persistent cross-site scripting (XSS) injection. En versiones de firmware 3.5 y anteriores de Cambium Networks ePMP, todos los usuarios autenticados pueden actualizar los campos Device Name y System Description en la consola de administración web. Esos campos son vulnerables a inyecci... • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 10EXPL: 0CVE-2017-5261 – Cambium CnPilot R200/r201 File Path Traversal
https://notcve.org/view.php?id=CVE-2017-5261
20 Dec 2017 — In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, the 'ping' and 'traceroute' functions of the web administrative console expose a file path traversal vulnerability, accessible to all authenticated users. En versiones de firmware 4.3 2-R4 y anteriores de Cambium Networks cnPilot, las funciones 'ping' y 'traceroute' de la consola administrativa web exponen una vulnerabilidad de salto de directorio de archivo, accesible para todos los usuarios autenticados. • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 9.0EPSS: 85%CPEs: 4EXPL: 0CVE-2017-5254 – Cambium EPMP 1000 Account Password Reset
https://notcve.org/view.php?id=CVE-2017-5254
20 Dec 2017 — In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism. En versiones de firmware 3.5 y anteriores de Cambium Networks ePMP, los usuarios no administrativos "installer" y "home" pueden cambiar contraseñas para otras cuentas, incluyendo la cuenta admin, después de desactivar un mecanismo de protección del lado del cliente. • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 2%CPEs: 10EXPL: 0CVE-2017-5259 – Cambium CnPilot R200/r201 Command Execution
https://notcve.org/view.php?id=CVE-2017-5259
20 Dec 2017 — In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://<device-ip-or-hostname>/adm/syscmd.asp. En versiones de firmware 4.3 2-R4 y anteriores de Cambium Networks cnPilot, está disponible un shell web de administración con privilegios root no documentado utilizando la ruta HTTP https:///adm/syscmd.asp. • https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities • CWE-319: Cleartext Transmission of Sensitive Information CWE-489: Active Debug Code •