CVSS: 9.0EPSS: 8%CPEs: 16EXPL: 0CVE-2020-8233
https://notcve.org/view.php?id=CVE-2020-8233
17 Aug 2020 — A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. Se presenta una vulnerabilidad de inyección de comandos en el firmware de EdgeSwitch versiones anteriores a v1.9.0, que permitía a un usuario autenticado de solo lectura ejecutar comandos de shell arbitrarios por medio de la interfaz HTTP, permitiéndoles escalar privilegios. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-8232
https://notcve.org/view.php?id=CVE-2020-8232
17 Aug 2020 — An information disclosure vulnerability exists in EdgeMax EdgeSwitch firmware v1.9.0 that allowed read only users could obtain unauthorized information through SNMP community pages. Se presenta una vulnerabilidad de divulgación de información en el firmware EdgeMax EdgeSwitch versión v1.9.0, que permitía a unos usuarios de solo lectura poder obtener información no autorizada por medio de las páginas de una comunidad SNMP. • https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8126
https://notcve.org/view.php?id=CVE-2020-8126
07 Feb 2020 — A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15). Una escalada de privilegios en EdgeSwitch anterior a la versión 1.7.1, un script CGI no sanea completamente la entrada del usuario lo que resulta en una ejecución de comandos locales, permitiendo a un usuario operador (Privilege-1) escalar privilegios y ... • https://hackerone.com/reports/197958 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 12EXPL: 0CVE-2019-5446
https://notcve.org/view.php?id=CVE-2019-5446
10 Jul 2019 — Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to execute commands as root. Una Inyección de Comandos en EdgeMAX EdgeSwitch versiones anteriores a 1.8.2, permite a un usuario administrador ejecutar comandos como root. • https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-8-2/824d58b1-6027-49cf-878d-2076c01948b7 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 12EXPL: 0CVE-2019-5445
https://notcve.org/view.php?id=CVE-2019-5445
10 Jul 2019 — DoS in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to Crash the SSH CLI interface by using crafted commands. Una DoS en EdgeMAX EdgeSwitch versiones anteriores a 1.8.2, permite que un usuario administrador Bloquee la interfaz de la CLI de SSH mediante el uso de comandos especialmente diseñados. • https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-8-2/824d58b1-6027-49cf-878d-2076c01948b7 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5426
https://notcve.org/view.php?id=CVE-2019-5426
10 Apr 2019 — In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated user can use the "local port forwarding" and "dynamic port forwarding" (SOCKS proxy) functionalities. Remote attackers without credentials can exploit this bug to access local services or forward traffic through the device if SSH is enabled in the system settings. En Ubiquiti Networks EdgeSwitch X 1.1.0 y versiones anteriores, un usuario no autenticado puede utilizar las funcionalidades "local port forwarding" y "dynamic port forwarding"... • https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeSwitch-X-software-release-v1-1-1/ba-p/2731137 • CWE-287: Improper Authentication •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 0CVE-2019-5425
https://notcve.org/view.php?id=CVE-2019-5425
10 Apr 2019 — In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an authenticated user can execute arbitrary shell commands over the SSH interface bypassing the CLI interface, which allow them to escalate privileges to root. En Ubiquiti Networks EdgeSwitch X versión v1.1.0 y anteriores, un usuario identificado puede ejecutar comandos shell arbitrarios por medio de la interfaz SSH sin pasar por la interfaz CLI, lo que les permite escalar privilegios a root. • https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeSwitch-X-software-release-v1-1-1/ba-p/2731137 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2019-5424
https://notcve.org/view.php?id=CVE-2019-5424
10 Apr 2019 — In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, a privileged user can execute arbitrary shell commands over the SSH CLI interface. This allows to execute shell commands under the root user. En Ubiquiti Networks EdgeSwitch X versión v1.1.0 y anteriores, un usuario privilegiado puede ejecutar comandos shell arbitrarios por medio de la interfaz de la CLI de SSH. Esto permite ejecutar comandos shell bajo el usuario root. • https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeSwitch-X-software-release-v1-1-1/ba-p/2731137 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 26%CPEs: 24EXPL: 3CVE-2015-9266 – Ubiquiti airOS HTTP(S) unauthenticated arbitrary file upload
https://notcve.org/view.php?id=CVE-2015-9266
05 Sep 2018 — The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGatewa... • https://www.exploit-db.com/exploits/39701 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2018-12590
https://notcve.org/view.php?id=CVE-2018-12590
20 Jun 2018 — Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an externally controlled format-string vulnerability due to lack of protection on the admin CLI, leading to code execution and privilege escalation greater than administrators themselves are allowed. An attacker with access to an admin account could escape the restricted CLI and execute arbitrary code. EdgeSwitch, de Ubiquiti Networks, en versiones 1.7.3 y anteriores sufre de una vulnerabilidad de cadena de formato controlada externamente debi... • https://hackerone.com/reports/311884 • CWE-134: Use of Externally-Controlled Format String •