Peplink: Security Vulnerabilities
A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability.
CVSS Score
6.8
EPSS Score
0.01
Published
2024-04-17
An information disclosure vulnerability exists in the web interface /cgi-bin/debug_dump.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
CVSS Score
5.3
EPSS Score
0.006
Published
2024-04-17
An information disclosure vulnerability exists in the web interface /cgi-bin/download_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
CVSS Score
5.3
EPSS Score
0.005
Published
2024-04-17
A data integrity vulnerability exists in the web interface /cgi-bin/upload_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to configuration modification. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
CVSS Score
8.3
EPSS Score
0.007
Published
2024-04-17
An OS command injection vulnerability exists in the web interface mac2name functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS Score
9.1
EPSS Score
0.039
Published
2024-04-17
An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root.
CVSS Score
6.4
EPSS Score
0.001
Published
2023-12-28
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device configuration.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-12-28
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.
CVSS Score
8.8
EPSS Score
0.207
Published
2023-12-28
An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root.
CVSS Score
7.2
EPSS Score
0.015
Published
2023-12-25
A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS Score
3.4
EPSS Score
0.001
Published
2023-10-11
Page 1