Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Vigorconnect
(Draytek)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 7 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2021-10-13 | CVE-2021-20123 | A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. | Vigorconnect | 7.5 | ||
2021-10-13 | CVE-2021-20124 | A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. | Vigorconnect | 7.5 | ||
2021-10-13 | CVE-2021-20125 | An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. An unauthenticated attacker could leverage this vulnerability to upload files to any location on the target operating system with root privileges. | Vigorconnect | 9.8 | ||
2021-10-13 | CVE-2021-20126 | Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | Vigorconnect | 8.8 | ||
2021-10-13 | CVE-2021-20127 | An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3. This allows an authenticated user to arbitrarily delete files in any location on the target operating system with root privileges. | Vigorconnect | 8.1 | ||
2021-10-13 | CVE-2021-20128 | The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized. | Vigorconnect | 5.4 | ||
2021-10-13 | CVE-2021-20129 | An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs. | Vigorconnect | 7.5 |