cbcvebase.

Draytek Vigor3900 Firmware vulnerabilities

48 known vulnerabilities affecting draytek/vigor3900_firmware.

Total CVEs
48
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
13
Severity breakdown
CRITICAL19HIGH29

Vulnerabilities

Page 3 of 3
CVE-2024-51254P3HIGHCVSS 8.8v1.5.1.32024-10-31
CVE-2024-51254 [HIGH] CWE-77 CVE-2024-51254: DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and ex DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the sign_cacertificate function.
nvd
CVE-2024-46316P3HIGHCVSS 8.0v1.5.1.62024-10-09
CVE-2024-46316 [HIGH] CWE-78 CVE-2024-46316: DrayTek Vigor3900 v1.5.1.6 was discovered to contain a command injection vulnerability via the sub_2 DrayTek Vigor3900 v1.5.1.6 was discovered to contain a command injection vulnerability via the sub_2C920 function at /cgi-bin/mainfunction.cgi. This vulnerability allows attackers to execute arbitrary commands via supplying a crafted HTTP message.
nvd
CVE-2024-51253P3HIGHCVSS 8.0v1.5.1.32024-11-04
CVE-2024-51253 [HIGH] CWE-78 CVE-2024-51253: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doL2TP function.
nvd
CVE-2024-51249P3HIGHCVSS 8.0v1.5.1.32024-11-04
CVE-2024-51249 [HIGH] CWE-78 CVE-2024-51249: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the reboot function.
nvd
CVE-2024-45882P3HIGHCVSS 8.0v1.5.1.32024-11-04
CVE-2024-45882 [HIGH] CWE-78 CVE-2024-45882: DrayTek Vigor3900 1.5.1.3 contains a command injection vulnerability. This vulnerability occurs when DrayTek Vigor3900 1.5.1.3 contains a command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `delete_map_profile.`
nvd
CVE-2024-51251P3HIGHCVSS 8.0v1.5.1.32024-11-04
CVE-2024-51251 [HIGH] CWE-78 CVE-2024-51251: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the backup function.
nvd
CVE-2024-51246P3HIGHCVSS 8.0v1.5.1.32024-11-04
CVE-2024-51246 [HIGH] CWE-78 CVE-2024-51246: In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and exec In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPTP function.
nvd
CVE-2024-43027P3HIGHCVSS 8.0fixed in 1.5.1.52024-08-21
CVE-2024-43027 [HIGH] CWE-77 CVE-2024-43027: DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 3 DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 300B before v1.5.1.5_Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi.
nvd