CVE-2020-15916
https://notcve.org/view.php?id=CVE-2020-15916
goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 devices allows remote attackers to execute arbitrary system commands via shell metacharacters in the lanIp POST parameter. El endpoint goform/AdvSetLanip en los dispositivos Tenda AC15 AC1900 versiones 15.03.05.19, permite a atacantes remotos ejecutar comandos arbitrarios del sistema por medio de metacaracteres de shell en el parámetro lanIp POST • https://github.com/geniuszlyy/CVE-2020-15916 https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2020-10987 – Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-10987
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter. El endpoint goform/setUsbUnload de Tenda AC15 AC1900 versión 15.03.05.19, permite a atacantes remotos ejecutar comandos del sistema arbitrarios por medio del parámetro POST deviceName Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter. • https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68 https://www.ise.io/research • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2020-10989
https://notcve.org/view.php?id=CVE-2020-10989
An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter. Un problema de tipo XSS en el endpoint /goform/WifiBasicSet de Tenda AC15 AC1900 versión 15.03.05.19, permite a atacantes remotos ejecutar cargas maliciosas por medio del parámetro POST WifiName • https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68 https://www.ise.io/research • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-10988
https://notcve.org/view.php?id=CVE-2020-10988
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device. Una credencial de Telnet embebida en el binario tenda_login de Tenda AC15 AC1900 versión 15.03.05.19, permite a atacantes remotos no autenticados iniciar un servicio telnetd en el dispositivo • https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68 https://www.ise.io/research • CWE-798: Use of Hard-coded Credentials •
CVE-2020-10986
https://notcve.org/view.php?id=CVE-2020-10986
A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page. Un problema de tipo CSRF en el endpoint /goform/SysToolReboot de Tenda AC15 AC1900 versión 15.03.05.19, permite a atacantes remotos reiniciar el dispositivo y causar una denegación de servicio por medio de una carga útil alojada por una página web controlada por un atacante • https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68 https://www.ise.io/research • CWE-352: Cross-Site Request Forgery (CSRF) •