Main Vulnerability Database Exploits ID:8366 - Exploit for Improper Neutralization of Special Elements in Output Used by a Downstream Component in DrayTek Corp. products - CVE-2020-8515

ID:8366 - Exploit for Improper Neutralization of Special Elements in Output Used by a Downstream Component in DrayTek Corp. products - CVE-2020-8515

Published: September 14, 2022

Vulnerability identifier: #VU25350

Vulnerability risk: Critical

CVE-ID: CVE-2020-8515

CWE-ID: CWE-74

Exploitation vector: Remote access

Vulnerable software:
Vigor 2960
Vigor 3900
Vigor 300B

Link to public exploit:

https://github.com/trhacknon/CVE-2020-8515-PoC

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the affected devices allow remote code execution as root (without authentication) via shell metacharacters to the "cgi-bin/mainfunction.cgi" URI.

Note, this vulnerability is being actively exploited in the wild starting from December 4, 2019.

Remediation

Install updates from vendor's website.

ID:8366 - Exploit for Improper Neutralization of Special Elements in Output Used by a Downstream Component in DrayTek Corp. products - CVE-2020-8515

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human