Our CVE

Our applications to the international database of
Common Vulnerabilities and Exposures

The folder traversal vulnerability in Gotenberg to version 6.2.1 in version 6.2.1 could allow an attacker to upload and overwrite any writable files outside of the intended folder.

This can lead to DoS , changing the program's behavior , or code execution .

CVSS v3.1: 9.8

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass.

CAPTCHA text is also not needed when an attacker specifies valid credentials. The attacker can interact with the router over HTTP with basic authentication. (basic authentication).

This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.

CVSS v3.1: 9.8

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: Critical

Integrity: High

Availability: High

On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals.

The vulnerability allows you to take full control of the device.

This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.

CVSS v3.1: 8.8

Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file.

Data stored in memory in COMPCS format (apmib library) includes administration passwords router and other passwords in plain text. On initialization, the apmib library dumps the entire memory content into the /web/config.dat file, which can be downloaded along with unencrypted passwords users.

CVSS v3.1: 7.5

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: None

Availability: None

A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords).

The apmib library dumps the entire memory content into the /web/config.dat file at the time of initialization. This folder is used by the http boa server as a directory for indexing. J If the router is configured for form-based authentication, access control only verifies access to certain addresses URL, but files with ".dat" extension are not verified.

CVSS v3.1: 7.5

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: None

Availability: None

web interface in D-Link DWR-116 up to 1.06, DIR-140L up to 1.02, DIR-640L up to 1.02, DWR-512 up to 2.02, DWR-712 up to 2.02, DWR-912 up to 2.02, DWR-921 to version 2.02 and DWR-111 to version 1.01

The vulnerability allows remote attackers to read any files using / .. or // after "GET / uir" in the HTTP request. NOTE: This vulnerability exists due to a malfunctioning patch reported in CVE-2017-6190.

CVSS v3.1: 7.5

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: None

Availability: None

We detected a vulnerability in D-Link DWR-116 routers to 1.06 , DIR-140L to 1.02, DIR-640L to 1.02, DWR-512 to 2.02, DWR-712 to 2.02, DWR-912 to 2.02, DWR-921 to 2.02 and DWR-111 to 1.01.

The administrative password is stored in plain text in the /tmp/csman/0. An attacker using the CVE-2018-10822 error is able to download this file without Authentication using Directory Traversal or LFI attack and thus gain full access to the device.

CVSS v3.1: 9.8

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

We detected a vulnerability in D-Link DWR-116 to 1.06, DWR-512 to 2.02, DWR-712 to 2.02, DWR-912 to 2.02, DWR-921 to 2.02 and DWR-111 to 1.01.
Once authenticated, an attacker can execute arbitrary code in the router's operating system by injecting a shell command into the Sip parameter of chkisg.htm. Umożliwia to przejęcie pełnej kontroli nad urządzeniem.
 
By combining this error with CVE-2018-10822 and CVE 2018-10824, an attacker is able to hijack the device without authentication.

CVSS v3.1: 8.8

Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

We have detected a vulnerability involving the use of highly predictable session tokens on the HTTPd server in all versions <= 3.0.0.4.380.7743 ASUS asuswrt routers

The vulnerability allows access to the router's administrative interface when the administrator logs in recently and bypassing the device login IP verification (CVE-2017-15653).

By using the functionality of the router, you can query the device about logged in users without authentication, thanks to which the process of acquiring the token can be automated.

CVSS v3.1: 8.3

Attack Vector: Network

Attack Complexity: High

Privileges Required: None

User Interaction: Required

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High

We have detected a vulnerability consisting in incorrect validation of the IP address from which you can log into the device on the HTTPd server in all versions <= 3.0.0.4.380.7743 ASUS asuswrt.

Knowing the session token (obtained e.g. with CVE-2017-15654), the attacker is able to bypass the IP address blockade from which you can log into the device by sending a specific value in the "User-Agent" header.

CVSS v3.1: 8.8

Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

We have detected a vulnerability where the administrator password is stored in clear text in nvram on an HTTPd server in all versions <= 3.0.0.4.380.7743 ASUS asuswrt.

By combining the errors CVE-2017-15654 and CVE-2017-15653, the attacker is able to obtain the administrator password and be able to log into the device, only knowing the approximate time of the administrator login.

CVSS v3.1: 8.8

Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

There are multiple buffer overflow vulnerabilities in ASUS HTTPd version asuswrt <= 3.0.0.4.376.X.

All of them were fixed in version 3.0.0.4.378, but this vulnerability was not previously discovered. Some decommissioned routers are version 3.0.0.4.376.X and are therefore currently vulnerable. The vulnerability could allow code (RCE = Remote Code Execution) to run with administrator privileges when an administrator visits selected pages on the router, after an attacker has previously overflowed the heap on the router.

CVSS v3.1: 9.6

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: Required

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High

ManageEngine Password Manager Pro (PMP) has a SQL Injection vulnerability in AdvanceSearch.class in AdventNetPassTrix.jar older than 8.1 Build 8101.

The vulnerability we discovered allows remote, authenticated users to execute arbitrary SQL commands using the ANDOR parameter, thus gaining access to the passwords of other users stored in the system.

CVSS v3.1: 6.5

Attack Vector: Network

Attack Complexity: Low

Privileges Required: Single

User Interaction: Required

Scope: Changed

Confidentiality: Partial

Integrity: Partial

Availability: Partial