Filtered by vendor Mi
Subscribe
Search
Total
14 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26317 | 1 Mi | 1 Xiaomi Router Firmware | 2023-08-07 | N/A | 9.8 CRITICAL |
| A vulnerability has been discovered in Xiaomi routers that could allow command injection through an external interface. This vulnerability arises from inadequate filtering of responses returned from the external interface. Attackers could exploit this vulnerability by hijacking the ISP or an upper-layer router to gain privileges on the Xiaomi router. Successful exploitation of this flaw could permit remote code execution and complete compromise of the device. | |||||
| CVE-2020-14124 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2021-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12. | |||||
| CVE-2020-14119 | 1 Mi | 1 Ax3600 | 2021-09-27 | 10.0 HIGH | 9.8 CRITICAL |
| There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12 | |||||
| CVE-2020-14094 | 1 Mi | 2 Xiaomi R3600, Xiaomi R3600 Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Xiaomi router R3600, ROM version<1.0.20, the connection service can be injected through the web interface, resulting in stack overflow or remote code execution. | |||||
| CVE-2020-10561 | 1 Mi | 2 Mijia Inkjet Printer, Mijia Inkjet Printer Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Xiaomi Mi Jia ink-jet printer < 3.4.6_0138. Injecting parameters to ippserver through the web management background, resulting in command execution vulnerabilities. | |||||
| CVE-2020-14100 | 1 Mi | 2 R3600, R3600 Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Xiaomi router R3600 ROM version<1.0.66, filters in the set_WAN6 interface can be bypassed, causing remote code execution. The router administrator can gain root access from this vulnerability. | |||||
| CVE-2020-14095 | 1 Mi | 2 Xiaomi R3600, Xiaomi R3600 Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Xiaomi router R3600, ROM version<1.0.20, a connect service suffers from an injection vulnerability through the web interface, leading to a stack overflow or remote code execution. | |||||
| CVE-2019-18370 | 1 Mi | 2 Millet Router 3g, Millet Router 3g Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the application's sh script for testing upload and download speeds reads a URL list from /tmp/speedtest_urls.xml, and there is a command injection vulnerability, as demonstrated by api/xqnetdetect/netspeed. | |||||
| CVE-2020-14096 | 1 Mi | 2 Xiaomi Ai Speaker, Xiaomi Ai Speaker Firmware | 2020-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Memory overflow in Xiaomi AI speaker Rom version <1.59.6 can happen when the speaker verifying a malicious firmware during OTA process. | |||||
| CVE-2018-18698 | 1 Mi | 2 Xiaomi Mi-a1, Xiaomi Mi-a1 Firmware | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on Xiaomi Mi A1 tissot_sprout:8.1.0/OPM1.171019.026/V9.6.4.0.ODHMIFE devices. They store cleartext Wi-Fi passwords in logcat during the process of setting up the phone as a hotspot. | |||||
| CVE-2020-11960 | 1 Mi | 2 Xiaomi R3600, Xiaomi R3600 Firmware | 2020-06-30 | 7.5 HIGH | 9.8 CRITICAL |
| Xiaomi router R3600 ROM before 1.0.50 is affected by a vulnerability when checking backup file in c_upload interface let attacker able to extract malicious file under any location in /tmp, lead to possible RCE and DoS | |||||
| CVE-2019-15913 | 1 Mi | 10 Dgnwg03lm, Dgnwg03lm Firmware, Mccgq01lm and 7 more | 2020-01-03 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages. | |||||
| CVE-2018-14010 | 1 Mi | 7 Xiaomi R3, Xiaomi R3c, Xiaomi R3c Firmware and 4 more | 2018-09-12 | 10.0 HIGH | 9.8 CRITICAL |
| OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. | |||||
| CVE-2018-14060 | 1 Mi | 2 Xiaomi R3d, Xiaomi R3d Firmware | 2018-09-12 | 10.0 HIGH | 9.8 CRITICAL |
| OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. | |||||