Airspan Airspot 5410 Firmware vulnerabilities
4 known vulnerabilities affecting airspan/airspot_5410_firmware.
Total CVEs
4
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2022-36267P1CRITICALCVSS 9.8ExploitedPoC≤ 0.3.4.1-42022-08-08
CVE-2022-36267 [CRITICAL] CVE-2022-36267: In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command in
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file
nvd
CVE-2022-36264P2CRITICALCVSS 9.1≤ 0.3.4.1-42022-08-08
CVE-2022-36264 [CRITICAL] CWE-434 CVE-2022-36264: In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists an Unauthenticated remote Arbitrary
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists an Unauthenticated remote Arbitrary File Upload vulnerability which allows overwriting arbitrary files. A malicious actor can remotely upload a file of their choice and overwrite any file in the system by manipulating the filename and append a relative path that will be interpreted d
nvd
CVE-2022-36265P3HIGHCVSS 7.2≤ 0.3.4.1-42022-08-08
CVE-2022-36265 [HIGH] CVE-2022-36265: In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Hidden system command web page. A
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Hidden system command web page. After performing a reverse engineering of the firmware, it was discovered that a hidden page not listed in the administration management interface allows a user to execute Linux commands on the device with root privileges. An authenticated malicious threat actor
nvd
CVE-2022-36266P4MEDIUMCVSS 6.1≤ 0.3.4.1-42022-08-08
CVE-2022-36266 [MEDIUM] CWE-79 CVE-2022-36266: In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a stored XSS vulnerability. As the
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a stored XSS vulnerability. As the binary file /home/www/cgi-bin/login.cgi does not check if the user is authenticated, a malicious actor can craft a specific request on the login.cgi endpoint that contains a base32 encoded XSS payload that will be accepted and stored. A successful attac
nvd