Shodan
Vulnerabilities
Vulnerable Software
Peplink:  Security Vulnerabilities
CVE-2023-49228
An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root.
CVSS Score
6.4
EPSS Score
0.001
Published
2023-12-28
CVE-2023-49229
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device configuration.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-12-28
CVE-2023-49230
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.
CVSS Score
8.8
EPSS Score
0.265
Published
2023-12-28
CVE-2023-49226
An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root.
CVSS Score
7.2
EPSS Score
0.015
Published
2023-12-25
CVE-2023-34354
A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS Score
3.4
EPSS Score
0.001
Published
2023-10-11
CVE-2023-34356
An OS command injection vulnerability exists in the data.cgi xfer_dns functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS Score
7.2
EPSS Score
0.003
Published
2023-10-11
CVE-2023-35193
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset 0x4bddb8.
CVSS Score
7.2
EPSS Score
0.002
Published
2023-10-11
CVE-2023-35194
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset `0x4bde44`.
CVSS Score
7.2
EPSS Score
0.002
Published
2023-10-11
CVE-2023-27380
An OS command injection vulnerability exists in the admin.cgi USSD_send functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS Score
7.2
EPSS Score
0.003
Published
2023-10-11
CVE-2023-28381
An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS Score
7.2
EPSS Score
0.003
Published
2023-10-11


Products
Pricing
Contact Us

Shodan ® - All rights reserved