OPTILINK OP-XT71000N V2.2 is vulnerable to Remote Code Execution. The issue occurs when the attacker sends an arbitrary code on “/diag_ping_admin.asp” to “PingTest” interface that leads to COMMAND EXECUTION. An attacker can successfully trigger the COMMAND and can compromise full system.
CWE-77
CVE-2020-23584
Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using ” | ” to execute commands on ” /diag_tracert_admin.asp ” in the “PingTest” parameter that leads to command execution.
CVE-2020-23639
A command injection vulnerability exists in Moxa Inc VPort 461 Series Firmware Version 3.4 or lower that could allow a remote attacker to execute arbitrary commands in Moxa’s VPort 461 Series Industrial Video Servers.
CVE-2020-22662
In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to change and set unauthorized “illegal region code” by remote code Execution command injection which leads to run illegal frequency with maxi output power. Vulnerability allows attacker to create an arbitrary amount of ssid wlans interface per radio which creates overhead over noise (the default max limit is 8 ssid only per radio in solo AP). Vulnerability allows attacker to unlock hidden regions by privilege command injection in WEB GUI.
CVE-2020-21785
In IBOS 4.5.4 Open, the database backup has Command Injection Vulnerability.
CVE-2020-20951
In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.