CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-31998
https://notcve.org/view.php?id=CVE-2023-31998
A heap overflow vulnerability found in EdgeRouters and Aircubes allows a malicious actor to interrupt UPnP service to said devices. • https://community.ui.com/releases/Security-Advisory-Bulletin-033-033/17f7c7c0-830b-4625-a2ee-e90e514e7b0f • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 1CVE-2023-2373 – Ubiquiti EdgeRouter X Web Management Interface command injection
https://notcve.org/view.php?id=CVE-2023-2373
A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown part of the component Web Management Interface. The manipulation of the argument ecn-up leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/leetsun/IoT/tree/main/EdgeRouterX/CI/5 https://vuldb.com/?ctiid.227649 https://vuldb.com/?id.227649 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-43553
https://notcve.org/view.php?id=CVE-2022-43553
A remote code execution vulnerability in EdgeRouters (Version 2.0.9-hotfix.4 and earlier) allows a malicious actor with an operator account to run arbitrary administrator commands.This vulnerability is fixed in Version 2.0.9-hotfix.5 and later. Una vulnerabilidad de ejecución remota de código en EdgeRouters (Versión 2.0.9-hotfix.4 y anteriores) permite que un actor malicioso con una cuenta de operador ejecute comandos de administrador arbitrarios. Esta vulnerabilidad se solucionó en la Versión 2.0.9-hotfix.5 y posteriores. • https://community.ui.com/releases/Security-Advisory-Bulletin-026-026/07697c65-30b3-4c06-a158-35e06534480d • CWE-250: Execution with Unnecessary Privileges •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22909 – Ubiquiti Networks EdgeOS Improper Certificate Validation Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-22909
A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update. This vulnerability is fixed in EdgeMAX EdgeRouter V2.0.9-hotfix.1 and later. Una vulnerabilidad encontrada en EdgeMAX EdgeRouter versión V2.0.9 y anteriores, podría permitir a un actor malicioso ejecutar un ataque de tipo man-in-the-middle (MitM) durante una actualización de firmware. Esta vulnerabilidad se corrigió en EdgeMAX EdgeRouter versiones V2.0.9-hotfix.1 y posteriores This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ubiquiti Networks EdgeOS on EdgeRouter X, EdgeRouter Pro X SFP, EdgeRouter 10X and EdgePoint 6-port routers. User interaction is required to exploit this vulnerability in that an administrator must perform a firmware update on the device. The specific flaw exists within the downloading of firmware files via HTTPS. • https://community.ui.com/releases/Security-Advisory-Bulletin-018-018/cfa1566b-4bf8-427b-8cc7-8cffba3a93a4 • CWE-295: Improper Certificate Validation CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-8282
https://notcve.org/view.php?id=CVE-2020-8282
A security issue was found in EdgePower 24V/54V firmware v1.7.0 and earlier where, due to missing CSRF protections, an attacker would have been able to perform unauthorized remote code execution. Se encontró un problema de seguridad en EdgePower 24V/54V versiones de firmware v1.7.0 y anteriores donde, debido a una falta de protecciones de CSRF, un atacante habría sido capaz de llevar a cabo una ejecución de código remota no autorizada • https://community.ui.com/releases/Security-advisory-bulletin-016-016/40c1d33d-785e-44d5-8e6c-56a8addef1bc • CWE-352: Cross-Site Request Forgery (CSRF) •