Hongdian H8951-4g-esp
10 CVEs affecting Hongdian H8951-4g-esp. Latest disclosed: 2024-01-12. Critical: 0, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-49262 | | 2024-01-12 | The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session. | |
CVE-2023-49261 | | 2024-01-12 | The "tokenKey" value used in user authorization is visible in the HTML source of the login page. | |
CVE-2023-49260 | | 2024-01-12 | An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path. It can be used together with the vulnerabil… | |
CVE-2023-49259 | | 2024-01-12 | The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time. | |
CVE-2023-49258 | | 2024-01-12 | User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_… | |
CVE-2023-49257 | | 2024-01-12 | An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges. | |
CVE-2023-49256 | | 2024-01-12 | It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key. | |
CVE-2023-49255 | | 2024-01-12 | The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the sessi… | |
CVE-2023-49254 | | 2024-01-12 | Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. Th… | |
CVE-2023-49253 | | 2024-01-12 | Root user password is hardcoded into the device and cannot be changed in the user interface. |