Filtered by vendor Wavlink
Subscriptions
Total
72 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-34046 | 1 Wavlink | 2 Wn533a8, Wn533a8 Firmware | 2022-10-07 | 7.5 High |
| An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);]. | ||||
| CVE-2022-34047 | 1 Wavlink | 2 Wl-wn530hg4, Wl-wn530hg4 Firmware | 2022-10-06 | 7.5 High |
| An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd]. | ||||
| CVE-2022-40621 | 1 Wavlink | 2 Wn531g3, Wn531g3 Firmware | 2022-09-19 | 7.5 High |
| Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 and earlier communicates over HTTP and not HTTPS, and because the hashing mechanism does not rely on a server-supplied key, it is possible for an attacker with sufficient network access to capture the hashed password of a logged on user and use it in a classic Pass-the-Hash style attack. | ||||
| CVE-2022-40622 | 1 Wavlink | 2 Wn531g3, Wn531g3 Firmware | 2022-09-19 | 8.8 High |
| The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible. | ||||
| CVE-2022-40623 | 1 Wavlink | 2 Wn531g3, Wn531g3 Firmware | 2022-09-19 | 8.8 High |
| The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 does not utilize anti-CSRF tokens, which, when combined with other issues (such as CVE-2022-35518), can lead to remote, unauthenticated command execution. | ||||
| CVE-2022-34575 | 1 Wavlink | 1 Wifi-repeater Firmware | 2022-08-03 | 5.7 Medium |
| An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the key information of the device via accessing fctest.shtml. | ||||
| CVE-2022-34576 | 1 Wavlink | 2 Wn535g3, Wn535g3 Firmware | 2022-08-03 | 7.5 High |
| A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request. | ||||
| CVE-2022-34577 | 1 Wavlink | 2 Wn535g3, Wn535g3 Firmware | 2022-08-03 | 9.8 Critical |
| A vulnerability in adm.cgi of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request. | ||||
| CVE-2022-34045 | 1 Wavlink | 2 Wl-wn530hg4, Wl-wn530hg4 Firmware | 2022-07-27 | 9.8 Critical |
| Wavlink WN530HG4 M30HG4.V5030.191116 was discovered to contain a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh. | ||||
| CVE-2022-34048 | 1 Wavlink | 2 Wn533a8, Wn533a8 Firmware | 2022-07-27 | 6.1 Medium |
| Wavlink WN533A8 M33A8.V5030.190716 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login_page parameter. | ||||
| CVE-2022-34049 | 1 Wavlink | 2 Wl-wn530hg4, Wl-wn530hg4 Firmware | 2022-07-27 | 5.3 Medium |
| An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data. | ||||
| CVE-2022-2486 | 1 Wavlink | 4 Wl-wn535k2, Wl-wn535k2 Firmware, Wl-wn535k3 and 1 more | 2022-07-26 | 9.8 Critical |
| A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-2487 | 1 Wavlink | 4 Wl-wn535k2, Wl-wn535k2 Firmware, Wl-wn535k3 and 1 more | 2022-07-26 | 9.8 Critical |
| A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-2488 | 1 Wavlink | 4 Wl-wn535k2, Wl-wn535k2 Firmware, Wl-wn535k3 and 1 more | 2022-07-26 | 9.8 Critical |
| A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-31846 | 1 Wavlink | 2 Wn535g3, Wn535g3 Firmware | 2022-06-23 | 7.5 High |
| A vulnerability in live_mfg.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function. | ||||
| CVE-2022-31845 | 1 Wavlink | 2 Wn535g3, Wn535g3 Firmware | 2022-06-23 | 7.5 High |
| A vulnerability in live_check.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function. | ||||
| CVE-2022-30489 | 1 Wavlink | 2 Wn535g3, Wn535g3 Firmware | 2022-05-23 | 6.1 Medium |
| WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi. | ||||
| CVE-2020-10972 | 1 Wavlink | 6 Wn530hg4, Wn530hg4 Firmware, Wn531g3 and 3 more | 2022-04-29 | 7.5 High |
| An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order to reach the page (a certain live_?.shtml page with the variable syspasswd). Affected Devices: Wavlink WN530HG4, Wavlink WN531G3, and Wavlink WN572HG3 | ||||
| CVE-2020-12266 | 1 Wavlink | 30 Jetstream Ac3000, Jetstream Ac3000 Firmware, Jetstream Erac3000 and 27 more | 2022-04-29 | 7.5 High |
| An issue was discovered where there are multiple externally accessible pages that do not require any sort of authentication, and store system information for internal usage. The devices automatically query these pages to update dashboards and other statistics, but the pages can be accessed externally without any authentication. All the pages follow the naming convention live_(string).shtml. Among the information disclosed is: interface status logs, IP address of the device, MAC address of the device, model and current firmware version, location, all running processes, all interfaces and their statuses, all current DHCP leases and the associated hostnames, all other wireless networks in range of the router, memory statistics, and components of the configuration of the device such as enabled features. Affected devices: Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000 | ||||
| CVE-2020-10974 | 1 Wavlink | 26 Jetstream Ac3000, Jetstream Ac3000 Firmware, Jetstream Erac3000 and 23 more | 2022-04-28 | 7.5 High |
| An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, Wavlink WN572HG3, Wavlink WN575A4, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000 | ||||