Vigor3900 Firmware

vigor3900_firmware

Vendor: Draytek • 48 CVEs

CVEs (48)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-51259 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function.
CVE-2024-51254 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the sign_cacertificate function.
CVE-2024-51258 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doSSLTunnel function.
CVE-2024-51301 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function.
CVE-2024-51300 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_rrd function.
CVE-2024-51299 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the dumpSyslog function.
CVE-2024-51298 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function.
CVE-2024-51296 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the pingtrace function.
CVE-2024-51257 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doCertificate function.
CVE-2024-51304 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ldap_search_dn function.
CVE-2024-48153 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 14, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_subconfig function.
CVE-2024-46316 1Draytek 1Vigor3900 Firmware Apr 10, 2025 Oct 9, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 DrayTek Vigor3900 v1.5.1.6 was discovered to contain a command injection vulnerability via the sub_2C920 function at /cgi-bin/mainfunction.cgi. This vulnerability allows attackers to execute arbitrary commands via supply...Show more DrayTek Vigor3900 v1.5.1.6 was discovered to contain a command injection vulnerability via the sub_2C920 function at /cgi-bin/mainfunction.cgi. This vulnerability allows attackers to execute arbitrary commands via supplying a crafted HTTP message.Show less
CVE-2024-44845 1Draytek 1Vigor3900 Firmware Sep 11, 2024 Sep 6, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the value parameter in the filter_string function.
CVE-2024-44844 1Draytek 1Vigor3900 Firmware Sep 11, 2024 Sep 6, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the name parameter in the run_command function.
CVE-2024-43027 1Draytek 3Vigor2960 Firmware Vigor300b FirmwareVigor3900 Firmware Jun 3, 2025 Aug 21, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 300B before v1.5.1.5_Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bi...Show more DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 300B before v1.5.1.5_Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi.Show less
CVE-2021-43118 1Draytek 3Vigor2960 Firmware Vigor300b FirmwareVigor3900 Firmware Nov 21, 2024 Mar 29, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING in mainfunction.cgi,...Show more A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING in mainfunction.cgi, which could let a remote malicious user execute arbitrary code.Show less
CVE-2021-42911 1Draytek 3Vigor2960 Firmware Vigor300b FirmwareVigor3900 Firmware Nov 21, 2024 Mar 29, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY S...Show more A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY STRING, which could let a remote malicious user execute arbitrary code.Show less
CVE-2020-15415 1Draytek 3Vigor2960 Firmware Vigor300b FirmwareVigor3900 Firmware Nov 7, 2025 Jun 30, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type...Show more On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.Show less
CVE-2020-14473 1Draytek 3Vigor2960 Firmware Vigor300b FirmwareVigor3900 Firmware Nov 21, 2024 Jun 24, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1.1.
CVE-2020-14472 1Draytek 3Vigor2960 Firmware Vigor300b FirmwareVigor3900 Firmware Nov 21, 2024 Jun 24, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 On Draytek Vigor3900, Vigor2960, and Vigor 300B devices before 1.5.1.1, there are some command-injection vulnerabilities in the mainfunction.cgi file.

Previous 123 Next