CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-28381
https://notcve.org/view.php?id=CVE-2023-28381
11 Oct 2023 — An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de inyección de comandos del sistema operativo en la funcionalidad admin.cgi MVPN_trial_init de peplink Surf SOHO HW1 v6.3.5 (en QEMU). Una solicitud HTTP especialmente manipulada puede conducir a la ejecu... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1779 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-27380
https://notcve.org/view.php?id=CVE-2023-27380
11 Oct 2023 — An OS command injection vulnerability exists in the admin.cgi USSD_send functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de inyección de comandos del sistema operativo en la funcionalidad admin.cgi USSD_send de peplink Surf SOHO HW1 v6.3.5 (en QEMU). Una solicitud HTTP especialmente manipulada puede conducir a la ejecución de un c... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1780 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-34354
https://notcve.org/view.php?id=CVE-2023-34354
11 Oct 2023 — A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenada en la funcionalidad upload_brand.cgi de peplink Surf SOHO HW1 v6.3.5 (en QEMU). Una solicitud HTTP especialmente manipu... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-35194
https://notcve.org/view.php?id=CVE-2023-35194
11 Oct 2023 — An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset `0x4bde44`. Existe una vulnerabilidad de inyección de comandos del sistema operativo en la func... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1782 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-35193
https://notcve.org/view.php?id=CVE-2023-35193
11 Oct 2023 — An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset 0x4bddb8. Existe una vulnerabilidad de inyección de comandos del sistema operativo en la funcio... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1782 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 114EXPL: 1CVE-2020-24246
https://notcve.org/view.php?id=CVE-2020-24246
07 Oct 2020 — Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin. Peplink Balance versiones anteriores a 8.1.0rc1, permite a un atacante no autenticado descargar archivos de configuración PHP (archivo /filemanager/php/connector.php) desde Web Admin • https://blog.bssi.fr/cve-2020-24246-leaking-source-file-using-the-web-admin-interface-of-peplink-balance •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 2CVE-2017-8840 – Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-8840
05 Jun 2017 — Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid. Una divulgación de información de depuración se presenta en los dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión firmware anterior a fw-b305hw2_380hw6_580hw2_710hw3_... • https://packetstorm.news/files/id/142801 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 2CVE-2017-8836 – Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-8836
05 Jun 2017 — CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Se presenta una vulnerabilidad de tipo CSRF en dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 c... • https://packetstorm.news/files/id/142801 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 2CVE-2017-8839 – Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-8839
05 Jun 2017 — XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi. Una vulnerabilidad de tipo XSS por medio de orig_url se presenta en los dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión de firmware anterior a fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-versión 7.0.1-build2093. El script afectado está en el archivo guest/preview.cgi. Peplin... • https://packetstorm.news/files/id/142801 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 3CVE-2017-8835 – Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-8835
05 Jun 2017 — SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database. Una inyección SQL se presenta en los dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión de firmware anterior a fw-b305hw2_380hw6_580hw2_7... • https://packetstorm.news/files/id/180664 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •