CVE-2023-2381 – Netgear SRX5308 Web Management Interface cross site scripting
https://notcve.org/view.php?id=CVE-2023-2381
A vulnerability has been found in Netgear SRX5308 up to 4.3.5-3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file scgi-bin/platform.cgi?page=bandwidth_profile.htm of the component Web Management Interface. The manipulation of the argument BandWidthProfile.ProfileName leads to cross site scripting. The attack can be launched remotely. • https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/6 https://vuldb.com/?ctiid.227659 https://vuldb.com/?id.227659 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-2380 – Netgear SRX5308 denial of service
https://notcve.org/view.php?id=CVE-2023-2380
A vulnerability, which was classified as problematic, was found in Netgear SRX5308 up to 4.3.5-3. Affected is an unknown function. The manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/17 https://vuldb.com/?ctiid.227658 https://vuldb.com/?id.227658 • CWE-404: Improper Resource Shutdown or Release •
CVE-2016-11060
https://notcve.org/view.php?id=CVE-2016-11060
Certain NETGEAR devices are affected by insecure renegotiation. This affects SRX5308 before 2017-02-10, FVS336Gv3 before 2017-02-10, FVS318N before 2017-02-10, and FVS318Gv2 before 2017-02-10. Determinados dispositivos de NETGEAR están afectados por una renegociación no segura. Esto afecta a SRX5308 antes del 10-02-2017, FVS336Gv3 antes del 10-02-2017, FVS318N antes del 10-02-2017 y FVS318Gv2 antes del 10-02-2017. • https://kb.netgear.com/31426/SSL-Renegotiation-Denial-of-Service-Vulnerability •
CVE-2019-17049
https://notcve.org/view.php?id=CVE-2019-17049
NETGEAR SRX5308 4.3.5-3 devices allow SQL Injection, as exploited in the wild in September 2019 to add a new user account. Los dispositivos NETGEAR SRX5308 versión 4.3.5-3, permiten la inyección SQL, como se explotó "in the wild" en septiembre de 2019 al agregar una nueva cuenta de usuario. • https://community.netgear.com/t5/Hardware-VPN-Firewalls-and/Successful-hack-of-our-SRX5308/m-p/1805846 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2016-10106
https://notcve.org/view.php?id=CVE-2016-10106
Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR FVS336Gv3, FVS318N, FVS318Gv2, and SRX5308 devices with firmware before 4.3.3-8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the thispage parameter, as demonstrated by reading the /etc/shadow file. Vulnerabilidad de salto de directorio en scgi-bin/platform.cgi en dispositivos NETGEAR FVS336Gv3, FVS318N, FVS318Gv2 y SRX5308 con firmware en versiones anteriores a 4.3.3-8 permite a usuarios remotos autenticados leer archivos arbitrarios a través de un .. (punto punto) en el parámetro thispage, como se demuestra al leer el archivo /etc/shadow. • http://kb.netgear.com/30739/Path-Traversal-Attack-Security-Vulnerability http://www.securityfocus.com/bid/95204 http://www.securitytracker.com/id/1037548 https://twitter.com/mantislesin/status/816618162770821120 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •