Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Dasannetworks Subscribe

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-42495 1 Dasannetworks 1 W-web 2023-12-18 N/A 9.8 CRITICAL
Dasan Networks - W-Web versions 1.22-1.27 - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-8950 1 Dasannetworks 2 H665, H665 Firmware 2020-08-24 10.0 HIGH 9.8 CRITICAL
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
CVE-2019-9974 1 Dasannetworks 2 H660rm, H660rm Firmware 2020-08-24 6.4 MEDIUM 9.1 CRITICAL
diag_tool.cgi on DASAN H660RM GPON routers with firmware 1.03-0022 lacks any authorization check, which allows remote attackers to run a ping command via a GET request to enumerate LAN devices or crash the router with a DoS attack.
CVE-2018-10562 1 Dasannetworks 2 Gpon Router, Gpon Router Firmware 2019-10-03 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
CVE-2018-10561 1 Dasannetworks 2 Gpon Router, Gpon Router Firmware 2019-03-04 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
CVE-2017-18046 1 Dasannetworks 2 H640x, H640x Firmware 2018-04-08 7.5 HIGH 9.8 CRITICAL
Buffer overflow on Dasan GPON ONT WiFi Router H640X 12.02-01121 2.77p1-1124 and 3.03p2-1146 devices allows remote attackers to execute arbitrary code via a long POST request to the login_action function in /cgi-bin/login_action.cgi (aka cgipage.cgi).