CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 1CVE-2020-24849
https://notcve.org/view.php?id=CVE-2020-24849
05 Nov 2020 — A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317. Una vulnerabilidad de ejecución de código remota es identificada en FruityWifi versiones hasta 2.4. Debido a unos metacaracteres shell inapropiadamente escapados obtenidos de la petición POST en la página... • http://fruitywifi.com/index_eng.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24848
https://notcve.org/view.php?id=CVE-2020-24848
23 Oct 2020 — FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system. FruityWifi versiones hasta 2.4, presenta una configuración de Sudo no segura [(ALL: ALL) NOPASSWD: ALL]. Esto permite a un atacante llevar a cabo una escalada de privilegios locales a nivel del sistema (root), permitiendo a un atacante conseguir acceso complet... • https://gist.github.com/harsh-bothra/5be73cfd53f1c5bea307c702ae83ff42 • CWE-269: Improper Privilege Management CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24847
https://notcve.org/view.php?id=CVE-2020-24847
23 Oct 2020 — A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) es identificada en FruityWifi versiones hasta 2.4. Debido a una falta de protección... • https://github.com/xtr4nge/FruityWifi/issues/277 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19168
https://notcve.org/view.php?id=CVE-2018-19168
11 Nov 2018 — Shell Metacharacter Injection in www/modules/save.php in FruityWifi (aka PatatasFritas/PatataWifi) through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted mod_name parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid session. Inyección de metacaracteres shell en www/modules/save.php en FruityWifi (también conocido como PatatasFritas/PatataWifi) hasta la versión 2.4 permite a los atacantes remotos ejecutar código arbitrario c... • https://github.com/xtr4nge/FruityWifi/issues/250 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 2CVE-2018-17317
https://notcve.org/view.php?id=CVE-2018-17317
21 Sep 2018 — FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php. FruityWifi (también conocido como PatatasFritas/PatataWifi) 2.1 permite que... • http://blog.51cto.com/010bjsoft/2175710 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •