Lucene search
+L
DraytekVigor166 Firmware

15 matches found

CVE
CVE
added 2022/08/29 5:38 a.m.461 views

CVE-2022-32548

CVE-2022-32548 affects DrayTek Vigor routers (e.g., Vigor3910) with firmware prior to 4.3.1.1. The vulnerability is a buffer overflow in the web management interface at /cgi-bin/wlogin.cgi triggered by crafted input in the username or password fields (aa/ab), enabling unauthenticated remote code ...

10CVSS9.6AI score0.33795EPSS
Web
CVE
CVE
added 2025/02/27 12:0 a.m.142 views

CVE-2024-41334

Affected devices: DrayTek Vigor series including Vigor 165/166 (before 4.2.6), Vigor 2620/LTE200 (before 3.9.8.8), Vigor 2860/2925 (before 3.9.7), Vigor 2862/2926 (before 3.9.9.4), Vigor 2133/2762/2832 (before 3.9.8), Vigor 2135/2765/2766 (before 4.4.5.1), Vigor 2865/2866/2927 (before 4.4.5.3), V...

8.8CVSS8.2AI score0.0036EPSS
CVE
CVE
added 2023/03/03 12:0 a.m.137 views

CVE-2023-23313

CVE-2023-23313 affects DrayTek Vigor routers via XSS in the wlogin.cgi and user_login.cgi web portal scripts. Affected models span multiple series and firmware versions (e.g., Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865/2866 v4.4.1.0; Vigor2927 v4.4.2.2; Vigor2915, Vigor2765/2766/2135 v4...

6.1CVSS6AI score0.00357EPSS
CVE
CVE
added 2023/06/01 12:0 a.m.100 views

CVE-2023-33778

Summary: CVE-2023-33778 relates to Draytek Vigor devices (Routers, Access Points, Switches, Myvigor) that ship with hardcoded encryption keys. This flaw lets an attacker bind an affected device to their own account and subsequently create WCF and DrayDDNS licenses and synchronize them from the we...

9.8CVSS9.4AI score0.00599EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.98 views

CVE-2024-41592

CVE-2024-41592 affects DrayTek Vigor3910 devices up to 4.3.2.6. The issue is a stack-based overflow in the GetCGI function when processing query string parameters (extraneous ampersands and long key–value pairs). Exploitation could lead to arbitrary code execution or DoS as described in multiple ...

8CVSS7AI score0.01397EPSS
CVE
CVE
added 2025/02/27 12:0 a.m.78 views

CVE-2024-41340

The CVE-2024-41340 issue affects multiple Draytek Vigor devices, where an attacker can upload crafted APP Enforcement modules, leading to arbitrary code execution. Affected models and minimum patched versions include: Vigor 165/166 before 4.2.6 (update to 4.2.6+), Vigor 2620/LTE200 before 3.9.8.8...

8.4CVSS7.4AI score0.00212EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.76 views

CVE-2024-41593

CVE-2024-41593 affects DrayTek Vigor310 devices up to version 4.3.2.6. The vulnerability is a heap-based buffer overflow in the web interface function ft_payload_dns due to a byte sign-extension in the length argument of a memcpy call, enabling remote code execution. Connected sources confirm the...

9.8CVSS7.8AI score0.00885EPSS
CVE
CVE
added 2025/02/27 12:0 a.m.75 views

CVE-2024-41339

The CVE-2024-41339 entry concerns DrayTek Vigor routers where the CGI endpoint used to upload configurations allows uploading a crafted kernel module, enabling arbitrary code execution. Affected are multiple models and firmware ranges (e.g., Vigor 165/166 before 4.2.6; 2620/LTE200 before 3.9.8.8;...

8.8CVSS7.3AI score0.00614EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.72 views

CVE-2024-41594

DrayTek Vigor310 devices up to version 4.3.2.6 are affected by CVE-2024-41594 due to the httpd server seeding the OpenSSL PRNG with a static string. This enables an information-disclosure vector (and related MITM risk) via the Vigor310 management UI. Connected sources provide concrete details: af...

7.5CVSS6.1AI score0.00271EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.67 views

CVE-2024-41587

CVE-2024-41587 affects DrayTek Vigor310 devices (through firmware 4.3.2.6) with a stored XSS in the login page greeting introduced by poor sanitization. Authenticated users can inject script via the Greeting message, with impact limited to the affected web UI context (confidentiality/integrity im...

5.4CVSS6.4AI score0.0024EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.67 views

CVE-2024-41591

CVE-2024-41591 affects DrayTek Vigor3910 devices (firmware up to 4.3.2.6) with an unauthenticated DOM-based reflected XSS in the Web UI. Root cause: insufficient protection for the web page structure in the router’s firmware, enabling manipulation of the DOM by crafted input. Impact: cross-site s...

6.1CVSS6.9AI score0.00256EPSS
CVE
CVE
added 2025/02/27 12:0 a.m.66 views

CVE-2024-41338

CVE-2024-41338 describes a NULL pointer dereference in DrayTek Vigor devices that allows a Denial of Service (DoS) when handling crafted DHCP requests. Affected devices and minimum vulnerable/patch versions include: Vigor 165/166 prior to 4.2.6; 2620/LTE200 prior to 3.9.8.8; 2860/2925 prior to 3....

7.5CVSS6.8AI score0.00434EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.66 views

CVE-2024-41590

CVE-2024-41590 affects DrayTek Vigor310 routers, where the web UI CGI endpoints expose a buffer overflow via missing bounds checks on POST parameters passed to strcpy. Affected firmware includes versions up to 4.3.2.6, and exploitation requires authenticated access. The Red Hat/NCSC/PT-Security e...

8CVSS6.7AI score0.00329EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.65 views

CVE-2024-41588

Affected software: DrayTek Vigor3910 (through 4.3.2.6). Vulnerable endpoints: CGI pages /cgi-bin/v2x00.cgi and /cgi-bin/cgiwcg.cgi. Root cause: Missing bounds checking in POST parameters passed to strncpy, allowing a buffer overflow. Actors: Authenticated users. Impact (as stated): Buffer overflo...

8CVSS6.8AI score0.00328EPSS
CVE
CVE
added 2024/10/03 12:0 a.m.65 views

CVE-2024-41596

CVE-2024-41596 affects DrayTek Vigor310 devices (versions up to 4.3.2.6). The vulnerability is a buffer overflow in the web UI caused by improper retrieval/handling of CGI form parameters, enabling a remote attacker to potentially execute arbitrary code or cause a denial of service via crafted re...

8CVSS7AI score0.00328EPSS