The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session in an authenticated state and return the session ID along with the username and plaintext password of the user. An attacker can then login with the provided credentials or supply the string 'IDALToken=......' in a cookie which will allow them to perform privileged operations such as restarting the service with /cgi/restart.
2617e6ac047295c7fb8c7aca613dea0e8f19f61ec746d1002bff8329b0e82b21Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a denial of service vulnerability. By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a Segmentation Fault of the uhttpd webserver. Since there is no watchdog on this daemon, a device reboot is needed to restart the webserver to make any modification to the device.
b7e77c13720ff2862b5f2cd505e2fd83433bb92406f790f5a82bf75578c329ddAn HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn or entryDisplayNameIn parameter.
8aa24d5f0536dc8ab8ba5a04208bb67d10be44f374d522d992546b0c6b964e41An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
1e92ae0c5278fc1a1ef7d635b6034490e6b56ed89def0c3158b907b154633917An exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability.
0bfeae904f970d08dabdaa8a014eee4efca75639721f7dd9c6b4b2fd1e02c43fAn exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a arbitrary setting writes, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability.
b6b5e7d97f80e9991783d37c820d5a565fa0b7b7199695cec240963831c1d23cAn exploitable Information Disclosure vulnerability exists in the ACEManager EmbeddedAceGet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an information disclosure, resulting in the exposure of confidential information, including, but not limited to, plaintext passwords and SNMP community strings. An attacker can make an authenticated HTTP request, or run the binary, to trigger this vulnerability.
f3e9e439a12b70a96bfeb02d461beccb29bf0fda4eae49519ccb97a1479c0998An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.
94904005a117eb6fda194315d152fd94ea44aa87006ebcb29834bdb9395935ceAn exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected javascript code execution, resulting in the execution of javascript code running on the victim's browser. An attacker can get a victim to click a link, or embedded URL, that redirects to the reflected cross-site scripting vulnerability to trigger this vulnerability.
843062931f3d85ff42aac061fbc4007b19a65b2deb3e53ce1c161532a0586172An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a unverified device configuration change, resulting in an unverified change of the user password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability.
03dc48edf642f79b31afeae22c3d7656aa0c1b7af7fa4437850772c1cd927437An exploitable command injection vulnerability exists in the ACEManager iplogging.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability.
af5b23fa20f418a3ae4846c607a1b417e1e10c46d2de2f3be018020bcadeb4d2This Metasploit module exploits a command injection vulnerability in Imperva SecureSphere version 13.x. The vulnerability exists in the PWS service, where Python CGIs did not properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode. This module was successfully tested on Imperva SecureSphere 13.0/13.1/13.2 in pre-ftl mode and unsealed gateway mode.
bdfbc634ef200611fefa72897a8585b4730eee313338e28e3fd534dd61610207devolo dLAN 550 duo+ version 3.1.0-1 suffers from a remote code execution vulnerability. The devolo firmware has what seems to be a 'hidden' services which can be enabled by authenticated attacker via the the htmlmgr CGI script. This allows the attacker to start services that are deprecated or discontinued and achieve remote arbitrary code execution with root privileges.
7ece4c01e8a0626b1675f616f6834eda99a5d6c9df3da5ad87248e5df5a38acbThis Metasploit module exploits an arbitrary command execution vulnerability in Webmin versions 1.900 and below. Any user authorized to the "Java file manager" and "Upload and Download" fields, to execute arbitrary commands with root privileges. In addition, "Running Processes" field must be authorized to discover the directory to be uploaded. A vulnerable file can be printed on the original files of the Webmin application. The vulnerable file we are uploading should be integrated with the application. Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used. The module has been tested successfully with Webmin version 1.900 over Debian 4.9.18.
220bdda523afcc7f1ded8735ea03ed18dad447ecbc6744a6c32035e4ce3c5dfeSynaccess netBooter NP-02x and NP-08x version 6.8 suffer from an authentication bypass vulnerability due to a missing control check when calling the webNewAcct.cgi script while creating users. This allows an unauthenticated attacker to create an admin user account and bypass authentication giving her the power to turn off a power supply to a resource.
2016e1b7fad384a5d33b446ff9f1776a9a363ae3b420b71f0e2afb27ee2b41beThe FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config download and file disclosure vulnerability when calling the ExportConfig REST API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access.
28f859be185735a935a473e099613589b8afccb4843208fedf69d3181dd9add9Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to cross site scripting vulnerabilities in hotspotlogin.cgi due to insufficient user input sanitization.
4cce626d1539e2d1d2f295b036e17ec9f4779d6658a6a91f1e7574c7c10e9d5dTeltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.
3b891e67dc7f84a78fafd4de519a7224bdb6d898a5ad5c79db67551a91fc0d24man-cgi versions prior to 1.16 suffer from a local file inclusion vulnerability.
656d2efdebbfc676809fb219798a80e508b90134287bfb9d8e75181c05e3501dMicrohard Systems 3G/4G Cellular Ethernet and Serial Gateway systems suffer from a system backup configuration file 'IPn4G.config' in '/' directory or its respective name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp' and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain circumstances. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. Many versions are affected.
3308505cfc0dc6793c720ed8984af9ae73fb959eb91433b4b2602436f3c76825This Metasploit module exploits a an arbitrary command execution vulnerability. The vulnerability exists in the /uapi-cgi/viewer/simple_loglistjs.cgi page and allows an anonymous user to execute arbitrary commands with root privileges. Firmware <= 1.12.0.19 are concerned. Tested on 5.02024 G-Cam/EFD-2250 running 1.12.0.4 firmware.
b06cdd72647a3c5ae361e51c53891472ce5c21a9a290972228f38c754cae44d6Ubuntu Security Notice 3665-1 - It was discovered that Tomcat incorrectly handled being configured with HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP file to the server and execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. It was discovered that Tomcat contained incorrect documentation regarding description of the search algorithm used by the CGI Servlet to identify which script to execute. This issue only affected Ubuntu 17.10. Various other issues were also addressed.
adc3401f4c6099499fc7f32dd5cfa60804e4fe107e205fa1ebecec9060700bf5Teradek VidiU Pro version 3.0.3 suffers from a stream disclosure vulnerability in snapshot.cgi.
1ec16c77ff64530a16f5ee014a1d612f9f673ff0d860df47d7438147ddb9ecf5Teradek Slice version 7.3.15 suffers from a stream disclosure vulnerability in snapshot.cgi.
526c66045fa6be523cc8edfa55dcf7233f85933c7c408e5105ac9f7a66500f44Teradek T-RAX version 7.3.2 suffers from a stream disclosure vulnerability in snapshot.cgi.
69d8a2bfab670f5bce274a6f980f3cf8b6cd28a765740ec72516f1a6fc6cb370
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed