资讯
TerraMaster FS-210是中国深圳市图美电子技术(TerraMaster)公司的一款NAS(网络附属存储)设备。
包括未经身份验证下载日志文件漏洞
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.
未授权下载备份文件漏洞
An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission.
未授权访问分享文件漏洞
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=public%25252Fadmin_OnlyRead.txt substring.
Xiaomi Mi WiFi R3G是中国小米科技(Xiaomi)公司的一款3G路由器。
该设备使用tar.gz格式的备份文件,并使用tar zxf解压。因此可以控制解压缩目录的内容。
此外该设备测试网速时,直接从/tmp/speedtest_urls.xml读取链接列表,存在命令注入漏洞。
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the application’s sh script for testing upload and download speeds reads a URL list from /tmp/speedtest_urls.xml, and there is a command injection vulnerability, as demonstrated by api/xqnetdetect/netspeed.
此外该设备还存在目录遍历漏洞。
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.
Huawei AR1200等都是中国华为(Huawei)公司的一款企业路由器。 多款Huawei产品中存在内存泄露漏洞。远程攻击者通过持续发送消息利用该漏洞导致服务异常。以下产品及版本受到影响:Huawei AR120-S V200R005C20版本,V200R006C10版本;AR1200 V200R005C20版本,V200R006C10版本;AR1200-S V200R005C20版本,V200R006C10版本;AR150 V200R005C20版本,V200R006C10版本;AR150-S V200R005C20版本,V200R006C10版本;AR160 V200R005C20版本,V200R006C10版本;AR200 V200R005C20版本,V200R006C10版本;AR200-S V200R005C20版本,V200R006C10版本;AR2200 V200R005C20版本,V200R006C10版本;AR2200-S V200R005C20版本,V200R006C10版本;AR3200 V200R005C20版本,V200R006C10版本;AR3600 V200R006C10版本;NetEngine16EX V200R005C20版本,V200R006C10版本;SRG1300 V200R005C20版本,V200R006C10版本;SRG2300 V200R005C20版本,V200R006C10版本;SRG3300 V200R005C20版本,V200R006C10版本。
4、Fujitsu Wireless Keyboard Set LX390 存在多个安全漏洞
Fujitsu Wireless Keyboard Set LX390是日本富士通(Fujitsu)公司的一款无线键盘。
该设备由于缺乏对2.4 GHz通信的正确加密,并且由于基于密码的身份验证机制,它们很容易受到重放攻击。
An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, and because of password-based authentication, they are vulnerable to replay attacks.
SySS GmbH found out that the wireless desktop set Fujitsu LX390 is vulnerable to keystroke injection attacks as the used data communication is unencrypted and unauthenticated.
SySS GmbH found out that the wireless desktop set Fujitsu LX390 does not use encryption for transmitting data packets containing keyboard events like keystrokes.
5、Moxa EDR-810 Command Injection / Information Disclosure - CXSecurity.com
Moxa EDR-810是台湾工控厂商Moxa的一款工业安全路由器,该设备存在未授权日志文件访问漏洞、隐私泄露等。
Moxa EDR 810, all versions 5.1 and prior, allows an unauthenticated attacker to be able to retrieve some log files from the device, which may allow sensitive information disclosure. Log files must have previously been exported by a legitimate user.
此外还存在远程代码执行漏洞。
Moxa EDR 810, all versions 5.1 and prior, allows an authenticated attacker to abuse the ping feature to execute unauthorized commands on the router, which may allow an attacker to perform remote code execution.
若有收获,就点个赞吧
0 人点赞
