CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-22882
https://notcve.org/view.php?id=CVE-2021-22882
23 Feb 2021 — UniFi Protect before v1.17.1 allows an attacker to use spoofed cameras to perform a denial-of-service attack that may cause the UniFi Protect controller to crash. UniFi Protect versiones anteriores a v1.17.1, permite a un atacante usar cámaras falsificadas para llevar a cabo un ataque de denegación de servicio que puede causar que el controlador UniFi Protect se bloquee • https://community.ui.com/releases/Security-advisory-bulletin-017-017/071141e5-bc2e-4b71-81f3-5e499316fcee • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-8282
https://notcve.org/view.php?id=CVE-2020-8282
14 Dec 2020 — A security issue was found in EdgePower 24V/54V firmware v1.7.0 and earlier where, due to missing CSRF protections, an attacker would have been able to perform unauthorized remote code execution. Se encontró un problema de seguridad en EdgePower 24V/54V versiones de firmware v1.7.0 y anteriores donde, debido a una falta de protecciones de CSRF, un atacante habría sido capaz de llevar a cabo una ejecución de código remota no autorizada • https://community.ui.com/releases/Security-advisory-bulletin-016-016/40c1d33d-785e-44d5-8e6c-56a8addef1bc • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8267
https://notcve.org/view.php?id=CVE-2020-8267
05 Nov 2020 — A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to send authenticated messages without a valid token.This vulnerability was fixed in UniFi Protect v1.14.11 and newer.This issue does not impact UniFi Cloud Key Gen 2 plus.This issue does not impact UDM-Pro customers with UniFi Protect stopped.Affected Products:UDM-Pro firmware 1.7.2 and earlier.UNVR firmware 1.3.... • https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a081-49ba-8f51-131f3a13000a • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-27888
https://notcve.org/view.php?id=CVE-2020-27888
27 Oct 2020 — An issue was discovered on Ubiquiti UniFi Meshing Access Point UAP-AC-M 4.3.21.11325 and UniFi Controller 6.0.28 devices. Cached credentials are not erased from an access point returning wirelessly from a disconnected state. This may provide unintended network access. Se detectó un problema en los dispositivos Ubiquiti UniFi Meshing Access Point UAP-AC-M versión 4.3.21.11325 y UniFi Controller versión 6.0.28. Las credenciales almacenadas en caché no son borradas de un punto de acceso que retorna de for... • https://community.ui.com/questions/Possible-authentication-bypass-for-access-into-LAN/7965adb2-5d70-4410-8467-4c7bec76bc00 • CWE-459: Incomplete Cleanup CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 1%CPEs: 12EXPL: 0CVE-2020-8234
https://notcve.org/view.php?id=CVE-2020-8234
21 Aug 2020 — A vulnerability exists in The EdgeMax EdgeSwitch firmware
CVSS: 9.0EPSS: 5%CPEs: 16EXPL: 0CVE-2020-8233
https://notcve.org/view.php?id=CVE-2020-8233
17 Aug 2020 — A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. Se presenta una vulnerabilidad de inyección de comandos en el firmware de EdgeSwitch versiones anteriores a v1.9.0, que permitía a un usuario autenticado de solo lectura ejecutar comandos de shell arbitrarios por medio de la interfaz HTTP, permitiéndoles escalar privilegios. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-8232
https://notcve.org/view.php?id=CVE-2020-8232
17 Aug 2020 — An information disclosure vulnerability exists in EdgeMax EdgeSwitch firmware v1.9.0 that allowed read only users could obtain unauthorized information through SNMP community pages. Se presenta una vulnerabilidad de divulgación de información en el firmware EdgeMax EdgeSwitch versión v1.9.0, que permitía a unos usuarios de solo lectura poder obtener información no autorizada por medio de las páginas de una comunidad SNMP. • https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8213
https://notcve.org/view.php?id=CVE-2020-8213
30 Jul 2020 — An information exposure vulnerability exists in UniFi Protect before v1.13.4-beta.5 that allowed unauthenticated attackers access to valid usernames for the UniFi Protect web application via HTTP response code and response timing. Se presenta una vulnerabilidad de exposición de información en UniFi Protect en versiones anteriores a v1.13.4-beta.5, que permitía a atacantes no autenticados acceder a nombres de usuario validos para la aplicación web UniFi Protect por medio del código de respuesta HTTP y la sin... • https://community.ui.com/releases/Security-advisory-bulletin-013-013/56d4d616-4afd-40ee-863f-319b7126ed84 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-8188
https://notcve.org/view.php?id=CVE-2020-8188
02 Jul 2020 — We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on Protect firmware v1.13.2, v1.14.9 and prior according to the description below:View only users can run certain custom commands which allows them to assign themselves unauthorized roles and escalate their privileges. Recientemente hemos publicado una nueva versión del firmware UniFi Protect versión v1.13.3 y v1.14.... • https://community.ui.com/releases/Security-advisory-bulletin-012-012/1bba9134-f888-4010-81c0-b0dd53b9bda4 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 4%CPEs: 220EXPL: 3CVE-2020-12695 – hostapd: UPnP SUBSCRIBE misbehavior in WPS AP
https://notcve.org/view.php?id=CVE-2020-12695
08 Jun 2020 — The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. La especificación UPnP de Open Connectivity Foundation antes del 17-04-2020 no prohíbe la aceptación de una petición de suscripción con una URL de entrega en un segmento de red diferente a la URL de suscripción de evento totalmente calificada, también se co... • https://packetstorm.news/files/id/158051 • CWE-276: Incorrect Default Permissions CWE-918: Server-Side Request Forgery (SSRF) •