cbcvebase.

Inhandnetworks Inrouter302 Firmware vulnerabilities

9 known vulnerabilities affecting inhandnetworks/inrouter302_firmware.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2022-21182P3HIGHCVSS 8.8≤ 3.5.42022-05-12
CVE-2022-21182 [HIGH] CWE-284 CVE-2022-21182: A privilege escalation vulnerability exists in the router configuration import functionality of InHa A privilege escalation vulnerability exists in the router configuration import functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2023-22600P3HIGHCVSS 8.1fixed in 3.5.562023-01-12
CVE-2023-22600 [HIGH] CWE-284 CVE-2023-22600: InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version In InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send
nvd
CVE-2023-22598P3HIGHCVSS 7.2fixed in 3.5.562023-01-12
CVE-2023-22598 [HIGH] CWE-78 CVE-2023-22598: InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version In InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). An unauthorized user with privileged access to the local web interface or the cloud account managing the af
nvd
CVE-2023-22599P3CRITICALCVSS 9.1fixed in 3.5.562023-01-12
CVE-2023-22599 [CRITICAL] CWE-760 CVE-2023-22599: InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version In InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-760: Use of a One-way Hash with a Predictable Salt. They send MQTT credentials in response to HTTP/HTTPS requests from the cloud platform. These credentials are encoded using a hardcoded string into
nvd
CVE-2022-21809P3HIGHCVSS 8.1≤ 3.5.372022-05-12
CVE-2022-21809 [HIGH] CWE-377 CVE-2022-21809: A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter3 A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file to trigger this vulnerability.
nvd
CVE-2023-22601P3HIGHCVSS 8.6fixed in 3.5.562023-01-12
CVE-2023-22601 [HIGH] CWE-330 CVE-2023-22601: InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version In InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about ot
nvd
CVE-2022-25932P3CRITICALCVSS 9.8fixed in 3.5.562022-11-09
CVE-2022-25932 [CRITICAL] CWE-284 CVE-2022-25932: The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2 The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.
nvd
CVE-2023-22597P4MEDIUMCVSS 5.9fixed in 3.5.562023-01-12
CVE-2023-22597 [MEDIUM] CWE-319 CVE-2023-22597: InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version In InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-319: Cleartext Transmission of Sensitive Information. They use an unsecured channel to communicate with the cloud platform by default. An unauthorized user could intercept this communication and steal
nvd
CVE-2022-21238P4MEDIUMCVSS 6.1≤ 3.5.372022-05-12
CVE-2022-21238 [MEDIUM] CWE-80 CVE-2022-21238: A cross-site scripting (xss) vulnerability exists in the info.jsp functionality of InHand Networks I A cross-site scripting (xss) vulnerability exists in the info.jsp functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can send an HTTP request to trigger this vulnerability.
nvd
Inhandnetworks Inrouter302 Firmware vulnerabilities | cvebase