Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-24848 | 1 Fruitywifi Project | 1 Fruitywifi | 2022-04-28 | 7.2 HIGH | 7.8 HIGH |
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system. | |||||
CVE-2020-24849 | 1 Fruitywifi Project | 1 Fruitywifi | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317. | |||||
CVE-2020-24847 | 1 Fruitywifi Project | 1 Fruitywifi | 2020-10-27 | 4.3 MEDIUM | 4.3 MEDIUM |
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase. | |||||
CVE-2018-17317 | 1 Fruitywifi Project | 1 Fruitywifi | 2020-10-23 | 7.5 HIGH | 9.8 CRITICAL |
FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php. | |||||
CVE-2018-19168 | 1 Fruitywifi Project | 1 Fruitywifi | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
Shell Metacharacter Injection in www/modules/save.php in FruityWifi (aka PatatasFritas/PatataWifi) through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted mod_name parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid session. |