Draytek Vigorconnect vulnerabilities
7 known vulnerabilities affecting draytek/vigorconnect.
Total CVEs
7
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL1HIGH5MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2021-20123P1HIGHCVSS 7.5KEVPoCv1.6.02021-10-13
CVE-2021-20123 [HIGH] CWE-22 CVE-2021-20123: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download fu
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
nvd
CVE-2021-20124P1HIGHCVSS 7.5KEVPoCv1.6.02021-10-13
CVE-2021-20124 [HIGH] CWE-22 CVE-2021-20124: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download fu
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
nvd
CVE-2021-20125P2CRITICALCVSS 9.8v1.6.02021-10-13
CVE-2021-20125 [CRITICAL] CWE-22 CVE-2021-20125: An arbitrary file upload and directory traversal vulnerability exists in the file upload functionali
An arbitrary file upload and directory traversal vulnerability exists in the file upload functionality of DownloadFileServlet in Draytek VigorConnect 1.6.0-B3. An unauthenticated attacker could leverage this vulnerability to upload files to any location on the target operating system with root privileges.
nvd
CVE-2021-20127P3HIGHCVSS 8.1v1.6.02021-10-13
CVE-2021-20127 [HIGH] CVE-2021-20127: An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet
An arbitrary file deletion vulnerability exists in the file delete functionality of the Html5Servlet endpoint of Draytek VigorConnect 1.6.0-B3. This allows an authenticated user to arbitrarily delete files in any location on the target operating system with root privileges.
nvd
CVE-2021-20129P3HIGHCVSS 7.5v1.6.02021-10-13
CVE-2021-20129 [HIGH] CWE-532 CVE-2021-20129: An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthe
An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs.
nvd
CVE-2021-20126P3HIGHCVSS 8.8v1.6.02021-10-13
CVE-2021-20126 [HIGH] CWE-352 CVE-2021-20126: Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently
Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
nvd
CVE-2021-20128P4MEDIUMCVSS 5.4v1.6.02021-10-13
CVE-2021-20128 [MEDIUM] CWE-79 CVE-2021-20128: The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was fo
The Profile Name field in the floor plan (Network Menu) page in Draytek VigorConnect 1.6.0-B3 was found to be vulnerable to stored XSS, as user input is not properly sanitized.
nvd