CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-41721
https://notcve.org/view.php?id=CVE-2023-41721
Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to device configuration information by a malicious actor with preexisting access to the network. Affected Products: UDM UDM-PRO UDM-SE UDR UDW Mitigation: Update UniFi Network to Version 7.5.187 or later. Instancias de la aplicación UniFi Network que (i) se ejecutan en una consola UniFi Gateway y (ii) son versiones 7.5.176. y antes, implementan la adopción de dispositivos con una lógica de control de acceso inadecuada, creando un riesgo de acceso a la información de configuración del dispositivo por parte de un actor malintencionado con acceso preexistente a la red. Productos afectados: UDM UDM-PRO UDM-SE UDR UDW Mitigación: actualice UniFi Network a la versión 7.5.187 o posterior. • https://community.ui.com/releases/Security-Advisory-Bulletin-036-036/81367bc9-2a64-4435-95dc-bbe482457615 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 47EXPL: 0CVE-2023-35085
https://notcve.org/view.php?id=CVE-2023-35085
An integer overflow vulnerability in all UniFi Access Points and Switches, excluding the Switch Flex Mini, with SNMP Monitoring and default settings enabled could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.50 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update the UniFi Switches to Version 6.5.59 or later. • https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 47EXPL: 0CVE-2023-38034
https://notcve.org/view.php?id=CVE-2023-38034
A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later. • https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32000
https://notcve.org/view.php?id=CVE-2023-32000
A Cross-Site Scripting (XSS) vulnerability found in UniFi Network (Version 7.3.83 and earlier) allows a malicious actor with Site Administrator credentials to escalate privileges by persuading an Administrator to visit a malicious web page. • https://community.ui.com/releases/Security-Advisory-Bulletin-034-034/53cfcb84-b42b-4f8f-afbf-07c0ca7cabe2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28365
https://notcve.org/view.php?id=CVE-2023-28365
A backup file vulnerability found in UniFi applications (Version 7.3.83 and earlier) running on Linux operating systems allows application administrators to execute malicious commands on the host device being restored. • https://community.ui.com/releases/Security-Advisory-Bulletin-031-031/8c85fc64-e9a8-4082-9ec4-56b14effd545 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •