CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43491
https://notcve.org/view.php?id=CVE-2023-43491
17 Apr 2024 — An information disclosure vulnerability exists in the web interface /cgi-bin/debug_dump.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de divulgación de información en la funcionalidad de la interfaz web /cgi-bin/debug_dump.cgi de Peplink Smart Reader v1.2.0 (en QEMU). Una solicitud HTTP especialmente ma... • https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256 • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45209
https://notcve.org/view.php?id=CVE-2023-45209
17 Apr 2024 — An information disclosure vulnerability exists in the web interface /cgi-bin/download_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de divulgación de información en la funcionalidad de la interfaz web /cgi-bin/download_config.cgi de Peplink Smart Reader v1.2.0 (en QEMU). Una solicitud HTTP especi... • https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256 • CWE-284: Improper Access Control •
CVSS: 9.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45744
https://notcve.org/view.php?id=CVE-2023-45744
17 Apr 2024 — A data integrity vulnerability exists in the web interface /cgi-bin/upload_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to configuration modification. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de integridad de datos en la funcionalidad de la interfaz web /cgi-bin/upload_config.cgi de Peplink Smart Reader v1.2.0 (en QEMU). Una solicitud HTTP especialmente manipulada puede provoc... • https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256 • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39367
https://notcve.org/view.php?id=CVE-2023-39367
17 Apr 2024 — An OS command injection vulnerability exists in the web interface mac2name functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de inyección de comandos del sistema operativo en la funcionalidad mac2name de la interfaz web de Peplink Smart Reader v1.2.0 (en QEMU). Una solicitud HTTP especialmente manipulada puede provocar la ... • https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40146
https://notcve.org/view.php?id=CVE-2023-40146
17 Apr 2024 — A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability. Existe una vulnerabilidad de escalada de privilegios en la funcionalidad /bin/login de Peplink Smart Reader v1.2.0 (en QEMU). Un argumento de línea de... • https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 1CVE-2023-49228
https://notcve.org/view.php?id=CVE-2023-49228
28 Dec 2023 — An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root. Se descubrió un problema en Peplink Balance Two antes de 8.4.0. La autenticación del puerto de consola utiliza credenciales codificadas, lo que permite a un atacante con acceso físico y conocimiento suficiente ejecutar comandos arbitrarios como root. • https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4 • CWE-798: Use of Hard-coded Credentials •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-49229
https://notcve.org/view.php?id=CVE-2023-49229
28 Dec 2023 — An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device configuration. Se descubrió un problema en Peplink Balance Two antes de 8.4.0. Una verificación de autorización faltante en el servicio web de administración permite a los usuarios sin privilegios y de solo lectura obtener información confidencial sobre la configuración del dispositivo. • https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-49230
https://notcve.org/view.php?id=CVE-2023-49230
28 Dec 2023 — An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication. Se descubrió un problema en Peplink Balance Two antes de 8.4.0. Una verificación de autorización faltante en portales cautivos permite a los atacantes modificar las configuraciones de los portales sin autenticación previa. • https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4 • CWE-862: Missing Authorization •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-49226
https://notcve.org/view.php?id=CVE-2023-49226
25 Dec 2023 — An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root. Se descubrió un problema en Peplink Balance Two antes de 8.4.0. La inyección de comandos en la función traceroute de la consola de administración permite a los usuarios con privilegios de administrador ejecutar comandos arbitrarios como root. • https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-34356
https://notcve.org/view.php?id=CVE-2023-34356
11 Oct 2023 — An OS command injection vulnerability exists in the data.cgi xfer_dns functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. Existe una vulnerabilidad de inyección de comandos del sistema operativo en la funcionalidad data.cgi xfer_dns de peplink Surf SOHO HW1 v6.3.5 (en QEMU). Una solicitud HTTP especialmente manipulada puede conducir a la ejecución de un coman... • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1778 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •