Lucene search
K
DraytekVigorconnect

7 matches found

CVE
CVE
added 2021/10/13 3:47 p.m.214 views

CVE-2021-20123

Draytek VigorConnect 1.6.0-B3 exposes a local file inclusion flaw in the DownloadFileServlet, allowing an unauthenticated attacker to download arbitrary files from the host with root privileges. Affected component: DownloadFileServlet/file download functionality. Root-cause: LFI in the file downl...

7.8CVSS7.4AI score0.74279EPSS
In wild
CVE
CVE
added 2021/10/13 3:48 p.m.185 views

CVE-2021-20124

Draytek VigorConnect 1.6.0-B3 is affected by an unauthenticated local file inclusion via the WebServlet file download endpoint. This allows arbitrary file download from the underlying OS (root privileges). Public advisories document a fix in VigorConnect 1.6.1; CISA/CIRCL/NCSC references corrobor...

7.8CVSS7.4AI score0.69248EPSS
In wild
CVE
CVE
added 2021/10/13 3:48 p.m.58 views

CVE-2021-20125

CVE-2021-20125 affects Draytek VigorConnect 1.6.0-B3. The vulnerability exists in the DownloadFileServlet’s file-upload functionality, enabling an unauthenticated attacker to upload arbitrary files and perform directory traversal to places on the target OS with root privileges. This is documented...

10CVSS9.5AI score0.03823EPSS
CVE
CVE
added 2021/10/13 3:49 p.m.53 views

CVE-2021-20128

The CVE-2021-20128 vulnerability affects DrayTek VigorConnect 1.6.0-B3, specifically the Profile Name field in the floor plan (Network Menu) page. It is a stored XSS flaw caused by improper sanitization of user input in that field. The exploit would rely on injecting malicious script via the Prof...

5.4CVSS5.3AI score0.00551EPSS
CVE
CVE
added 2021/10/13 3:48 p.m.50 views

CVE-2021-20126

Draytek VigorConnect 1.6.0-B3 is affected by a cross-site request forgery vulnerability due to missing protections and insufficient verification that requests are intentional from the authenticated user. The available sources describe the issue and impacted version but do not provide exploit deta...

8.8CVSS8.7AI score0.00612EPSS
CVE
CVE
added 2021/10/13 3:49 p.m.45 views

CVE-2021-20127

CVE-2021-20127 affects DrayTek VigorConnect (version 1.6.0-B3) via the Html5Servlet endpoint’s file deletion feature. An authenticated user can arbitrarily delete files anywhere on the target OS with root privileges, enabling high-impact disruption and potential data loss. The vulnerability stems...

8.5CVSS7.9AI score0.01095EPSS
CVE
CVE
added 2021/10/13 3:49 p.m.45 views

CVE-2021-20129

CVE-2021-20129 affects Draytek VigorConnect 1.6.0-B3. An unauthenticated attacker can export system logs via network exposure (information disclosure). Other connected sources also describe a local file inclusion risk in related endpoints (WebServlet/DownloadFileServlet) on the same version, enab...

7.5CVSS7.2AI score0.01644EPSS