// For flags

CVE-2017-8835

Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.

Una inyección SQL se presenta en los dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión de firmware anterior a fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Un vector de ataque es la cookie bauth para el archivo cgi-bin/MANGA/admin.cgi. Un impacto es la enumeración de las cuentas de usuario al observar si se puede recuperar un ID de sesión de la base de datos de sesiones.

Peplink version 7.0.0-build1904 suffers from cross site request forgery, cross site scripting, file deletion, and remote SQL injection vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-05-08 CVE Reserved
  • 2017-06-05 CVE Published
  • 2017-06-05 First Exploit
  • 2024-08-05 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Peplink
Search vendor "Peplink"
 B305hw2 Firmware
Search vendor "Peplink" for product "B305hw2 Firmware"
 7.0.1
Search vendor "Peplink" for product "B305hw2 Firmware" and version "7.0.1"
-
Affected
in Peplink
Search vendor "Peplink"
 Balance 305
Search vendor "Peplink" for product "Balance 305"
--
Safe
Peplink
Search vendor "Peplink"
 380hw6 Firmware
Search vendor "Peplink" for product "380hw6 Firmware"
 7.0.1
Search vendor "Peplink" for product "380hw6 Firmware" and version "7.0.1"
-
Affected
in Peplink
Search vendor "Peplink"
 Balance 380
Search vendor "Peplink" for product "Balance 380"
--
Safe
Peplink
Search vendor "Peplink"
 580hw2 Firmware
Search vendor "Peplink" for product "580hw2 Firmware"
 7.0.1
Search vendor "Peplink" for product "580hw2 Firmware" and version "7.0.1"
-
Affected
in Peplink
Search vendor "Peplink"
 Balance 580
Search vendor "Peplink" for product "Balance 580"
--
Safe
Peplink
Search vendor "Peplink"
 710hw3 Firmware
Search vendor "Peplink" for product "710hw3 Firmware"
 7.0.1
Search vendor "Peplink" for product "710hw3 Firmware" and version "7.0.1"
-
Affected
in Peplink
Search vendor "Peplink"
 Balance 710
Search vendor "Peplink" for product "Balance 710"
--
Safe
Peplink
Search vendor "Peplink"
 1350hw2 Firmware
Search vendor "Peplink" for product "1350hw2 Firmware"
 7.0.1
Search vendor "Peplink" for product "1350hw2 Firmware" and version "7.0.1"
-
Affected
in Peplink
Search vendor "Peplink"
 Balance 1350
Search vendor "Peplink" for product "Balance 1350"
--
Safe
Peplink
Search vendor "Peplink"
 2500 Firmware
Search vendor "Peplink" for product "2500 Firmware"
 7.0.1
Search vendor "Peplink" for product "2500 Firmware" and version "7.0.1"
-
Affected
in Peplink
Search vendor "Peplink"
 Balance 2500
Search vendor "Peplink" for product "Balance 2500"
--
Safe