- OffSec Courses
- Services & Products
- About Us
- Our CVEs
- Blog
- Contact
The reporting functionality in Wyn Enterprise allows for code inclusion, but does not sufficiently restrict what code can be included. An attacker can use a low-privileged account to abuse this functionality and execute malicious code, load DLLs, and execute operating system commands on the host system with high-privileged applications. This issue is fixed in version 8.0.00204.0
CVSS v4: 8.7
Attack Requirements: None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): None
A vulnerability in Ant Media Server Community Edition allows manipulation of headers in HTTP requests, enabling an unauthorized user to access all API functionalities (except for administrative ones) of the Ant Media Server Community Edition.
A directory traversal vulnerability in the file upload functionality in Gotenberg - before version 6.2.1 allows an attacker to upload and overwrite arbitrary writable files outside the intended directory.
This may lead to Denial of Service (DoS), modification of application behavior or code execution..
In affected TOTOLINK models based on Realtek SDK, the CAPTCHA text can be retrieved using a POST method {“topicurl”: “setting / getSanvas”} POST to the boafrm/formLogin URI, leading to CAPTCHA bypass.
The CAPTCHA text is also not needed when the attacker specifies valid credentials. An attacker can perform router actions via HTTP with basic authentication.
This affects A3002RU up to 2.0.0, A702R up to 2.1.3, N301RT up to 2.1.6 , N302R up to 3.4.0, N300RT up to 3.4.0, N200RE up to 4.0.0, N150RT up to 3.4.0 and N100RE up to 3.4.0.
On affected TOTOLINK routers based on Realtek SDK, an authenticated attacker can execute arbitrary operating system commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not accessible.
The vulnerability allows for complete takeover of the device.
This affects A3002RU up to 2.0.0, A702R up to 2.1.3, N301RT up to 2.1.6, N302R up to 3.4.0, N300RT up to 3.4.0, N200RE up to 4.0.0, N150RT up to 3.4.0, and N100RE up to 3.4.0.
A vulnerability has been discovered in routers based on the Realtek SDK (including Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) that store passwords in plaintext (unencrypted).
Data stored in memory in the COMPCS format (apmib library) includes router administration passwords and other passwords in plaintext. The apmib library, upon initialization, dumps the entire contents of memory to the /web/config.dat file, which can be downloaded along with unencrypted user passwords.
A vulnerability has been discovered in Realtek SDK-based routers that utilize HTTP Basic authentication with a form-based login (including Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21), allowing remote attackers to retrieve the configuration, including sensitive data such as username and password.
The apmib library, upon initialization, dumps the entire contents of memory to the /web/config.dat file. This folder is used by the Boa HTTP server as a directory for indexing .If the router is configured for form-based authentication, access control only verifies access for certain URLs, but files with the ".dat" extension are not verified.
A vulnerability has been discovered in D-Link routers DWR-116 up to 1.06, DIR-140L up to 1.02, DIR-640L up to 1.02, DWR-512 up to 2.02, DWR-712 up to 2.02, DWR-912 up to 2.02, DWR-921 up to 2.02, and DWR-111 up to 1.01.
The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker exploiting CVE-2018-10822 can download this file without authentication using a Directory Traversal or Local File Inclusion (LFI) attack, thereby gaining full access to the device.
A directory traversal vulnerability has been discovered in the web interface of D-Link DWR-116 up to 1.06, DIR-140L up to 1.02, DIR-640L up to 1.02, DWR-512 up to 2.02, DWR-712 up to 2.02, DWR-912 up to 2.02, DWR-921 up to 2.02, and DWR-111 up to 1.01.
The vulnerability allows remote attackers to read arbitrary files by using /.. or // after "GET /uir" in a HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
A vulnerability has been discovered in ASUS asuswrt HTTPd server all versions <= 3.0.0.4.380.7743, where the administrator password is stored in plaintext in nvram.
By combining CVE-2017-15654 and CVE-2017-15653, an attacker can obtain the administrator password and log in to the device, only by knowing the approximate time of the administrator's login.
Multiple buffer overflow vulnerabilities exist in the ASUS HTTPd server in asuswrt version <= 3.0.0.4.376.X.
All were fixed in 3.0.0.4.378, but this one was not previously discovered. Some end-of-life routers have version 3.0.0.4.376.X are therefore currently vulnerable. This vulnerability allows for remote code execution (RCE) as admin when the admin visits selected pages on the router, after the attacker has previously caused a heap overflow on the router.
A vulnerability has been discovered in the ASUS asuswrt HTTPd server in all versions <= 3.0.0.4.380.7743, which uses highly predictable session tokens.
This vulnerability allows an attacker to gain access to the router's administrative interface if the administrator has recently logged in, bypassing the device's login IP verification (CVE-2017-15653).
Using the router's functionalities, it is possible to query the device for logged-in users without authentication, thus automating the process of obtaining the token.
A vulnerability has been discovered in the ASUS asuswrt HTTPd server in all versions <= 3.0.0.4.380.7743, which involves improper validation of the IP address from which a user can log in to the device.
By knowing the session token (obtained, for example, using CVE-2017-15654), an attacker can bypass the IP address restriction for device login by sending a specific value in the 'User-Agent' header.
ManageEngine Password Manager Pro (PMP) has a SQL Injection vulnerability in AdvanceSearch.class in AdventNetPassTrix.jar in versions older than 8.1 Build 8101.
The vulnerability we discovered allows remote, authenticated users to execute arbitrary SQL commands using the ANDOR parameter, thereby gaining access to other users' passwords stored in the system.
EN 
PL