CVSS: 5.3EPSS: 3%CPEs: 12EXPL: 2CVE-2017-8840 – Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-8840
05 Jun 2017 — Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid. Una divulgación de información de depuración se presenta en los dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión firmware anterior a fw-b305hw2_380hw6_580hw2_710hw3_... • https://packetstorm.news/files/id/142801 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 4%CPEs: 12EXPL: 2CVE-2017-8841 – Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-8841
05 Jun 2017 — Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmware_process.cgi via the upfile.path parameter. Una eliminación de archivos arbitraria se presenta en los dispositivos de Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión firmware anterior a fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-versión 7.0.1-buil... • https://packetstorm.news/files/id/142801 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 63%CPEs: 12EXPL: 3CVE-2017-8835 – Peplink Balance routers SQLi
https://notcve.org/view.php?id=CVE-2017-8835
05 Jun 2017 — SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database. Una inyección SQL se presenta en los dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión de firmware anterior a fw-b305hw2_380hw6_580hw2_7... • https://packetstorm.news/files/id/180664 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •