Zyxel: Security Vulnerabilities
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discover accounts via MySQL "select * from Administrator_users" and "select * from Users_users" requests.
CVSS Score
5.3
EPSS Score
0.009
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows escape-sequence injection into the /var/log/axxmpp.log file.
CVSS Score
5.3
EPSS Score
0.006
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request Method With Sensitive Query Strings" issue for /registerCpe requests.
CVSS Score
5.3
EPSS Score
0.005
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request Method With Sensitive Query Strings" issue for /cnr requests.
CVSS Score
5.3
EPSS Score
0.005
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS.
CVSS Score
6.1
EPSS Score
0.007
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa SSH key.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated update_all_realm_license API.
CVSS Score
7.5
EPSS Score
0.008
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user API.
CVSS Score
5.3
EPSS Score
0.004
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user_key API.
CVSS Score
5.3
EPSS Score
0.004
Published
2022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_user_id_and_key API.
CVSS Score
5.3
EPSS Score
0.004
Published
2022-09-29