Multiple Vulnerabilities in Draytek Vigor 2130

VIGOR 2130 firmware 1.5.4.9 1.1. Command injection in traceroute functionality A user can execute arbitrary commands RCE on the router by abusing the traceroute functionality. The interface expects an IP address as input, but does not validate the input. Just provide the input: ; id The above...

DrayTek VigorACS SI 1.3.0 File Write / LFI / File Upload

DrayTek VigorACS SI /ACSServer/ We found that most of the VigorACS SI deployments are using the default http authentication settings acs/password. This is not so much a software vulnerability but more a configuration issue. 2.2 Unauthenticated arbitrary file read/write functionality via...