CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1608 – LB-LINK AC1900 Router set_manpwd websGetVar os command injection
https://notcve.org/view.php?id=CVE-2025-1608
24 Feb 2025 — A vulnerability, which was classified as critical, was found in LB-LINK AC1900 Router 1.0.2. Affected is the function websGetVar of the file /goform/set_manpwd. The manipulation of the argument routepwd leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://noisy-caravel-a9a.notion.site/LBLINK_AC1900_V1-0-2_-set_manpwd-_-bl_do_system-_CI-179898c94eac81b9bf56c1f64db77e2d?pvs=74 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51431
https://notcve.org/view.php?id=CVE-2024-51431
01 Nov 2024 — LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable. • https://github.com/MatJosephs/CVEs/tree/main/CVE-2024-51431 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33374
https://notcve.org/view.php?id=CVE-2024-33374
14 Jun 2024 — Incorrect access control in the UART/Serial interface on the LB-LINK BL-W1210M v2.0 router allows attackers to access the root terminal without authentication. El control de acceso incorrecto en la interfaz UART/Serial en el enrutador LB-LINK BL-W1210M v2.0 permite a los atacantes acceder al terminal raíz sin autenticación. • https://github.com/ShravanSinghRathore/Security-Advisory-Multiple-Vulnerabilities-in-LB-link-BL-W1210M-Router/wiki/Incorrect-Access-Control-%28CVE%E2%80%902024%E2%80%9033374%29 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33375
https://notcve.org/view.php?id=CVE-2024-33375
14 Jun 2024 — LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's firmware. Se descubrió que LB-LINK BL-W1210M v2.0 almacena las credenciales de usuario en texto plano dentro del firmware del enrutador. • https://github.com/ShravanSinghRathore/Security-Advisory-Multiple-Vulnerabilities-in-LB-link-BL-W1210M-Router/wiki/Credentials-Stored-in-Cleartext--%7C--Unencrypted-Credentials-%28CVE%E2%80%902024%E2%80%9033375%29 • CWE-256: Plaintext Storage of a Password •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33377
https://notcve.org/view.php?id=CVE-2024-33377
14 Jun 2024 — LB-LINK BL-W1210M v2.0 was discovered to contain a clickjacking vulnerability via the Administrator login page. Attackers can cause victim users to perform arbitrary operations via interaction with crafted elements on the web page. Se descubrió que LB-LINK BL-W1210M v2.0 contiene una vulnerabilidad de clickjacking a través de la página de inicio de sesión del administrador. Los atacantes pueden hacer que los usuarios víctimas realicen operaciones arbitrarias mediante la interacción con elementos manipulados... • https://github.com/ShravanSinghRathore/Security-Advisory-Multiple-Vulnerabilities-in-LB-link-BL-W1210M-Router/wiki/Clickjacking-%28CVE%E2%80%902024%E2%80%9033377%29 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 10.0EPSS: 26%CPEs: 8EXPL: 1CVE-2023-26801
https://notcve.org/view.php?id=CVE-2023-26801
26 Mar 2023 — LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg. • https://github.com/winmt/my-vuls/tree/main/LB-LINK%20BL-AC1900%2C%20BL-WR9000%2C%20BL-X26%20and%20BL-LTE300%20Wireless%20Routers • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •