Netis-Systems: Security Vulnerabilities
On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30
On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-12-30
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30
On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration).
CVSS Score
6.1
EPSS Score
0.005
Published
2019-12-30
On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-12-30
On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic).
CVSS Score
6.1
EPSS Score
0.005
Published
2019-12-30
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30
On Netis WF2411 with firmware 2.1.36123 and other Netis WF2xxx devices (possibly WF2411 through WF2880), there is a stack-based buffer overflow that does not require authentication. This can cause denial of service (device restart) or remote code execution. This vulnerability can be triggered by a GET request with a long HTTP "Authorization: Basic" header that is mishandled by user_auth->user_ok in /bin/boa.
CVSS Score
9.8
EPSS Score
0.718
Published
2019-02-21
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-01-29
Netis WF2419 V2.2.36123 devices allow XSS via the Description parameter on the Bandwidth Control Rule Settings page.
CVSS Score
5.4
EPSS Score
0.003
Published
2018-01-25