Authentication flaw

Multiple authentication bypass vulnerabilities in the /cgi-bin/ endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to leak router settings, change configuration variables, and cause denial of service via an unauthenticated endpoint...

CVE-2020-25079

An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddnsenc.cgi allows authenticated command injection...

Command injection

An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddnsenc.cgi allows authenticated command injection...

VulnCheck KEV: CVE-2013-2578

cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in 1 the ServerName parameter and 2 other unspecified...

CVE-2020-10973

WAVLINK WN530HG4 / WN531G3 / WN533A8 / WN551K1 are affected by an improper access control vulnerability in /cgi-bin/ExportAllSettings.sh. A crafted POST request, without authentication, returns the device’s current configuration including the administrator password; the attacker must perform a de...

VulnCheck KEV: CVE-2014-9727

AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm...

CVE-2020-11734

cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the ACTION parameter...

CVE-2020-11734

cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the ACTION parameter...

CVE-2020-11734

cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the ACTION parameter...

Cross site scripting

An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 devices. The cgi-bin/ViewPage.cgi user parameter allows XSS...

The vulnerability of the cgi-bin/index2.asp component of Genexis Platinum-P4410-V2 and Genexis Platinum-4410 routing software allows a hacker to obtain authentication data necessary to access the router administration panel.

The vulnerability of the cgi-bin/index2.asp component of Genexis Platinum-P4410-V2 and Genexis Platinum-4410 routing software is related to authentication deficiencies. Exploiting this vulnerability could allow an attacker to obtain authentication credentials necessary to access the router...

CVE-2020-8515

DrayTek Vigor2960 1.3.1Beta, Vigor3900 1.4.4Beta, and Vigor300B 1.3.3Beta, 1.4.2.1Beta, and 1.4.4Beta devices allow remote code execution as root without authentication via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1...

CVE-2020-8515

DrayTek Vigor2960 1.3.1Beta, Vigor3900 1.4.4Beta, and Vigor300B 1.3.3Beta, 1.4.2.1Beta, and 1.4.4Beta devices allow remote code execution as root without authentication via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1...

CVE-2020-8515

DrayTek Vigor2960 1.3.1Beta, Vigor3900 1.4.4Beta, and Vigor300B 1.3.3Beta, 1.4.2.1Beta, and 1.4.4Beta devices allow remote code execution as root without authentication via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1...

CVE-2020-8515

DrayTek Vigor2960 1.3.1Beta, Vigor3900 1.4.4Beta, and Vigor300B 1.3.3Beta, 1.4.2.1Beta, and 1.4.4Beta devices allow remote code execution as root without authentication via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1. Recent...

CVE-2014-3718

Multiple cross-site scripting XSS vulnerabilities in cgi-bin/tagm.cgi in Ex Libris ALEPH 500 Integrated library management system 18.1 and 20 allow remote attackers to inject arbitrary web script or HTML via the 1 find, 2 lib, or 3 sid parameter...

CVE-2014-3719

Multiple SQL injection vulnerabilities in cgi-bin/reviewm.cgi in Ex Libris ALEPH 500 Integrated library management system 18.1 and 20 allow remote attackers to execute arbitrary SQL commands via the 1 find, 2 lib, or 3 sid parameter...

CVE-2019-20215

D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi in /htdocs/cgibin, because HTTPST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker t...

Sql injection

Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the 1 addip parameter to cgi-bin/scrutfaexclusions.cgi, 2...

CVE-2020-6170

An authentication bypass vulnerability on Genexis Platinum-4410 v2.1 P4410-V2 1.28 devices allows attackers to obtain cleartext credentials from the HTML source code of the cgi-bin/index2.asp URI...