X41 D-Sec GmbH

17 exploits Active since Apr 2016
CVE-2017-8840 EXPLOITDB MEDIUM text WRITEUP
Peplink B305hw2 Firmware - Information Disclosure
Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid.
CVSS 5.3
CVE-2017-8839 EXPLOITDB MEDIUM text WRITEUP
Peplink B305hw2 Firmware - XSS
XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi.
CVSS 6.1
CVE-2017-8838 EXPLOITDB MEDIUM text WRITEUP
Peplink B305hw2 Firmware - XSS
XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is cgi-bin/HASync/hasync.cgi.
CVSS 6.1
CVE-2017-8837 EXPLOITDB CRITICAL text WRITEUP
Peplink B305hw2 Firmware - Insufficiently Protected Credentials
Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The files in question are /etc/waipass and /etc/roapass. In case one of these devices is compromised, the attacker can gain access to passwords and abuse them to compromise further systems.
CVSS 9.8
CVE-2017-8836 EXPLOITDB HIGH text WRITEUP
Peplink B305hw2 Firmware - CSRF
CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface.
CVSS 8.8
CVE-2017-8835 EXPLOITDB CRITICAL text WRITEUP
Peplink B305hw2 Firmware - SQL Injection
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.
CVSS 9.8
CVE-2017-15270 EXPLOITDB MEDIUM text WRITEUP
Psftpd - Improper Input Validation
The PSFTPd 10.0.4 Build 729 server does not properly escape data before writing it into a Comma Separated Values (CSV) file. This can be used by attackers to hide data in the Graphical User Interface (GUI) view and create arbitrary entries to a certain extent. Special characters such as '"' and ',' and '\r' are not escaped and can be used to add new entries to the log.
CVSS 5.3
CVE-2017-8835 METASPLOIT CRITICAL ruby WORKING POC
Peplink B305hw2 Firmware - SQL Injection
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.
CVSS 9.8
CVE-2017-15271 EXPLOITDB MEDIUM text WRITEUP
Psftpd - Use After Free
A use-after-free issue could be triggered remotely in the SFTP component of PSFTPd 10.0.4 Build 729. This issue could be triggered prior to authentication. The PSFTPd server did not automatically restart, which enabled attackers to perform a very effective DoS attack against this service. By sending a crafted SSH identification / version string to the server, a NULL pointer dereference could be caused, apparently because of a race condition in the window message handling, performing the cleanup for invalid connections. This incorrect cleanup code has a use-after-free.
CVSS 5.9
CVE-2019-11706 EXPLOITDB HIGH text WRITEUP
Thunderbird <60.7.1 - Use After Free
A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. This vulnerability affects Thunderbird < 60.7.1.
CVSS 7.5
CVE-2019-11703 EXPLOITDB CRITICAL text WRITEUP
Thunderbird <60.7.1 - Buffer Overflow
A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1.
CVSS 9.8
CVE-2019-11705 EXPLOITDB CRITICAL text WRITEUP
Thunderbird <60.7.1 - Buffer Overflow
A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1.
CVSS 9.8
CVE-2019-11704 EXPLOITDB CRITICAL text WRITEUP
Thunderbird <60.7.1 - Buffer Overflow
A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1.
CVSS 9.8
CVE-2016-2851 EXPLOITDB CRITICAL python WORKING POC
Debian Linux < 4.1.0 - Memory Corruption
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.
CVSS 9.8
EIP-2026-102992 EXPLOITDB text WRITEUP
Shadowsocks - Log File Command Execution
EIP-2026-102993 EXPLOITDB text WRITEUP
shadowsocks-libev 3.1.0 - Command Execution
CVE-2017-8841 EXPLOITDB HIGH text WRITEUP
Peplink B305hw2 Firmware - Path Traversal
Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmware_process.cgi via the upfile.path parameter.
CVSS 8.1