CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2019-13407 – Advan VD-1 has a reflected XSS vulnerability in page cgibin/ssi.cgi
https://notcve.org/view.php?id=CVE-2019-13407
A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly. Un XSS encontrado en las versiones de firmware Advan VD-1 hasta 230. VD-1 responde a un mensaje de error de ruta de acceso cuando no se encontró un recurso solicitado en la página cgibin/ssi.cgi. • http://surl.twcert.org.tw/SpTwh https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md https://tvn.twcert.org.tw/taiwanvn/TVN-201906008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 1CVE-2019-11064 – A vulnerability of remote credential disclosure was discovered in Advan VD-1
https://notcve.org/view.php?id=CVE-2019-11064
A vulnerability of remote credential disclosure was discovered in Advan VD-1 firmware versions up to 230. An attacker can export system configuration which is not encrypted to get the administrator’s account and password in plain text via cgibin/ExportSettings.cgi?Export=1 without any authentication. Se descubrió una vulnerabilidad de divulgación remota de credenciales en las versiones de firmware Advan VD-1 hasta 230. Un atacante puede exportar la configuración del sistema que no está encriptada para obtener la cuenta y la contraseña del administrador en texto plano a través de cgibin / ExportSettings.cgi? • http://surl.twcert.org.tw/gCDQN https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md https://tvn.twcert.org.tw/taiwanvn/TVN-201906005 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2019-13408 – Advan VD-1 allows users to download arbitrary files
https://notcve.org/view.php?id=CVE-2019-13408
A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication. Una vulnerabilidad de recorrido de ruta relativa encontrada en las versiones de firmware de Advan VD-1 hasta 230. Permite a los atacantes descargar archivos arbitrarios a través de url cgibin/ExportSettings.cgi? • http://surl.twcert.org.tw/2bvXq https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md https://tvn.twcert.org.tw/taiwanvn/TVN-201906009 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal CWE-862: Missing Authorization •