CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-20120
https://notcve.org/view.php?id=CVE-2021-20120
The administration web interface for the Arris Surfboard SB8200 lacks any protections against cross-site request forgery attacks. This means that an attacker could make configuration changes (such as changing the administrative password) without the consent of the user. La interfaz web de administración de la Arris Surfboard SB8200 carece de protecciones contra los ataques de tipo cross-site request forgery. Esto significa que un atacante podría realizar cambios de configuración (como cambiar la contraseña administrativa) sin el consentimiento del usuario • https://www.tenable.com/security/research/tra-2021-45 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33216 – CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account
https://notcve.org/view.php?id=CVE-2021-33216
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account. Se ha detectado un problema en CommScope Ruckus IoT Controller versiones 1.7.1.0 y anteriores. Se presenta una Puerta Trasera No Documentada, permitiendo el acceso al shell por medio de una cuenta de desarrollador An upgrade account is included in the IoT Controller OVA that provides the vendor undocumented access via Secure Copy (SCP). • http://seclists.org/fulldisclosure/2021/May/78 https://korelogic.com/advisories.html •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33217 – CommScope Ruckus IoT Controller 1.7.1.0 Web Application Arbitrary Read/Write
https://notcve.org/view.php?id=CVE-2021-33217
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. The Web Application allows Arbitrary Read/Write actions by authenticated users. The API allows an HTTP POST of arbitrary content into any file on the filesystem as root. Se ha detectado un problema en CommScope Ruckus IoT Controller versiones 1.7.1.0 y anteriores. La Aplicación Web permite acciones arbitrarias de lectura y escritura por parte de usuarios autenticados. • http://seclists.org/fulldisclosure/2021/May/77 https://korelogic.com/advisories.html • CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33215 – CommScope Ruckus IoT Controller 1.7.1.0 Web Application Directory Traversal
https://notcve.org/view.php?id=CVE-2021-33215
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. The API allows Directory Traversal. Se ha detectado un problema en CommScope Ruckus IoT Controller versiones 1.7.1.0 y anteriores. La API permite un Salto de Directorio A Python script (web.py) for a Dockerized webservice contains a directory traversal vulnerability, which can be leveraged by an authenticated attacker to view the contents of directories on the IoT Controller. • http://seclists.org/fulldisclosure/2021/May/76 https://korelogic.com/advisories.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33219 – CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password
https://notcve.org/view.php?id=CVE-2021-33219
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Hard-coded Web Application Administrator Passwords for the admin and nplus1user accounts. Se ha detectado un problema en CommScope Ruckus IoT Controller versiones 1.7.1.0 y anteriores. Se presentan Contraseñas de Administrador de Aplicaciones Web Embebidas para las cuentas admin y nplus1user An undocumented, administrative-level, hard-coded web application account exists in the IoT Controller OVA which cannot be changed by the customer. • https://korelogic.com/advisories.html https://seclists.org/fulldisclosure/2021/May/75 • CWE-798: Use of Hard-coded Credentials •