CVE-2023-31997
https://notcve.org/view.php?id=CVE-2023-31997
UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus. • https://community.ui.com/releases/Security-Advisory-Bulletin-032-032/e57301f4-4f5e-4d9f-90bc-71f1923ed7a4 •
CVE-2020-8157
https://notcve.org/view.php?id=CVE-2020-8157
UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Key gen2 Plus contains a vulnerability that allows unrestricted root access through the serial interface (UART). UniFi Cloud Key versiones de firmware anteriores a v1.1.10 incluyéndola, para Cloud Key gen2 y Cloud Key gen2 Plus contiene una vulnerabilidad que permite acceso root no restringido por medio de la interfaz serial (UART). • https://community.ui.com/releases/Security-advisory-bulletin-008-008/5f66ca4c-10d6-4ca5-9620-37d5a4f22413 https://community.ui.com/releases/UniFi-Cloud-Key-Firmware-1-1-11/a24e55e1-6d90-46d7-92e2-01539ec8c79d • CWE-284: Improper Access Control •
CVE-2020-8148
https://notcve.org/view.php?id=CVE-2020-8148
UniFi Cloud Key firmware < 1.1.6 contains a vulnerability that enables an attacker being able to change a device hostname by sending a malicious API request. This affects Cloud Key gen2 and Cloud Key gen2 Plus. El firmware de UniFi Cloud Key versiones anteriores a 1.1.6, contiene una vulnerabilidad que permite a un atacante poder cambiar el nombre de host de un dispositivo mediante el envío de una petición de la API maliciosa. Esto afecta a Cloud Key gen2 y Cloud Key gen2 Plus. • https://community.ui.com/releases/Security-advisory-bulletin-007-007/eb639fa0-68ad-4bf5-9663-3b760eb2f93a https://hackerone.com/reports/802079 • CWE-287: Improper Authentication •