MidnightBSD

Advisories for ui

CVE-2010-5330 MEDIUM

On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,CWE-77,

Products Affected

Vendor Product Version
ui airos *
CVE-2013-1606 HIGH

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allows remote attackers to execute arbitrary code via a long rtsp: URI in a DESCRIBE request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ui airvision_firmware *
ui aircam_dome -
ui aircam -
ui aircam_mini -
CVE-2013-3572 MEDIUM

Cross-site scripting (XSS) vulnerability in the administer interface in the UniFi Controller in Ubiquiti Networks UniFi 2.3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted client hostname.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ui unifi *
ui unifi_controller *
CVE-2014-2225 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
ui mfi_controller *
ui unifi_controller *
ui airvision_controller *
CVE-2014-2226 LOW

Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
ui unifi_controller *
CVE-2014-2227 MEDIUM

The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
ui unifi_video *
CVE-2015-9266 HIGH

The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
ui airgateway_firmware *
ui af5x_firmware *
ubnt edgeswitch_xp_firmware *
ui airmax_m_ti_firmware *
ui airfiber_af24_firmware *
ubnt airos_4_xs2 *
ui airmax_m_xw_firmware *
ubnt airos_4_xs5 *
ui airmax_m_xm_firmware *
ui airmax_ac_firmware 7.1.3
ui af5_firmware *
ui airfiber_af24hd_firmware *
CVE-2016-6914 HIGH

Ubiquiti UniFi Video before 3.8.0 for Windows uses weak permissions for the installation directory, which allows local users to gain SYSTEM privileges via a Trojan horse taskkill.exe file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-276,

Products Affected

Vendor Product Version
ui unifi_video *
CVE-2017-0912 LOW

Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-site Scripting. Due to the lack sanitization, it is possible to inject arbitrary HTML code by manipulating the uploaded filename. Successful exploitation requires valid credentials to an account with "Edit" access to "Scheduling".

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ui ucrm *
CVE-2017-0935 HIGH

Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker with access to an operator (read-only) account could escalate privileges to admin (root) access in the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
ui edgeos *
CVE-2017-0938 MEDIUM

Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-20,

Products Affected

Vendor Product Version
ui airos *
ui edgemax_firmware *
CVE-2018-12590 HIGH

Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an externally controlled format-string vulnerability due to lack of protection on the admin CLI, leading to code execution and privilege escalation greater than administrators themselves are allowed. An attacker with access to an admin account could escape the restricted CLI and execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
ui edgeswitch_firmware *
CVE-2018-5264 MEDIUM

Ubiquiti UniFi 52 devices, when Hotspot mode is used, allow remote attackers to bypass intended restrictions on "free time" Wi-Fi usage by sending a /guest/s/default/ request to obtain a cookie, and then using this cookie in a /guest/s/default/login request with the byfree parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
ui unifi_firmware -
CVE-2018-5265 MEDIUM

Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attackers to execute arbitrary code with admin credentials, because /opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def does not sanitize the 'alias' or 'ips' parameter for shell metacharacters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ui edgeos 1.9.1
CVE-2019-12727 HIGH

On Ubiquiti airCam 3.1.4 devices, a Denial of Service vulnerability exists in the RTSP Service provided by the ubnt-streamer binary. The issue can be triggered via malformed RTSP requests that lead to an invalid memory read. To exploit the vulnerability, an attacker must craft an RTSP request with a large number of headers.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
ui aircam_firmware 3.1.4
CVE-2019-15595 HIGH

A privilege escalation exists in UniFi Video Controller =<3.10.6 that would allow an attacker on the local machine to run arbitrary commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui unifi_video_controller *
CVE-2019-16889 HIGH

Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-770,

Products Affected

Vendor Product Version
ui er-6p_firmware *
ui er-8-xg_firmware *
ui er-x-sfp_firmware *
ui er-12_firmware *
ui er-4_firmware *
ui erpro-8_firmware *
ui erpoe-5_firmware *
ui erlite-3_firmware *
ui er-8_firmware *
ui er-x_firmware *
ui ep-r6_firmware *
ui ep-r8_firmware *
CVE-2019-5424 HIGH

In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, a privileged user can execute arbitrary shell commands over the SSH CLI interface. This allows to execute shell commands under the root user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-78,

Products Affected

Vendor Product Version
ui edgeswitch_x *
CVE-2019-5425 HIGH

In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an authenticated user can execute arbitrary shell commands over the SSH interface bypassing the CLI interface, which allow them to escalate privileges to root.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ui edgeswitch_x *
CVE-2019-5426 MEDIUM

In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated user can use the "local port forwarding" and "dynamic port forwarding" (SOCKS proxy) functionalities. Remote attackers without credentials can exploit this bug to access local services or forward traffic through the device if SSH is enabled in the system settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
ui edgeswitch_x *
CVE-2019-5430 MEDIUM

In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
ui unifi_video *
CVE-2019-5445 MEDIUM

DoS in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to Crash the SSH CLI interface by using crafted commands.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
ui edgeswitch_firmware *
CVE-2019-5446 HIGH

Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to execute commands as root.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-77,

Products Affected

Vendor Product Version
ui edgeswitch_firmware *
CVE-2019-5456 MEDIUM

SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use later.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-300,CWE-255,

Products Affected

Vendor Product Version
ui unifi_controller *
CVE-2020-12695 HIGH

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H 2.2 4.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-276,

Products Affected

Vendor Product Version
cisco wap131 -
hp hp_officejet_4652_k9v84b -
hp envy_4508_e6g72b -
epson xp-4105 -
hp deskjet_ink_advantage_4535_f0v64c -
cisco wap150 -
hp hp_envy_4511_k9h50a -
ui unifi_controller -
epson xp-8600 -
hp envy_5000_m2u94b -
hp envy_6020_6wd35a -
epson xp-100 -
hp envy_4523_j6u60b -
hp envy_4520_e6g67b -
hp envy_5540_g0v47a -
hp envy_photo_6252_k7g22a -
fedoraproject fedora 31
hp envy_5544_k7c89a -
hp hp_officejet_4655_k9v82b -
hp envy_4525_k9t09b -
canonical ubuntu_linux 20.04
hp officejet_4655_f1j00a -
microsoft windows_10 -
hp envy_photo_6222_y0k14d -
hp envy_100_cn519b -
epson xp-8500 -
hp envy_5640_b9s58a -
hp hp_deskjet_ink_advantage_4675_f1h97c -
epson xp-960 -
hp hp_envy_4520_f0v63b -
hp envy_5531 -
hp deskjet_ink_advantage_3545_a9t81c -
hp hp_envy_4522_f0v67a -
hp deskjet_ink_advantage_5575_g0v48b -
hp envy_pro_6420_5se46a -
hp envy_photo_7100_z3m37a -
hp hp_deskjet_ink_advantage_4675_f1h97b -
hp envy_110_cq809b -
hp hp_envy_4524_f0v72b -
hp envy_4504_c8d04a -
hp envy_6020_7cz37a -
zyxel vmg8324-b10a -
hp deskjet_ink_advantage_4678_f1h99b -
hp envy_5536 -
epson xp-702 -
hp 5020_z4a69a -
hp envy_photo_6220_k7g20d -
hp envy_photo_7800_k7r96a -
hp deskjet_ink_advantage_4675_f1h97a -
microsoft xbox_one 10.0.19041.2494
hp deskjet_ink_advantage_4535_f0v64b -
hp hp_envy_4525_k9t09b -
epson ep-101 -
hp hp_envy_4512_k9h49a -
hp envy_photo_7822_y0g43d -
hp hp_envy_4520_f0v69a -
hp hp_officejet_4655_f1j00a -
hp envy_photo_7100_3xd89a -
epson xp-440 -
hp envy_photo_6200_k7g26b -
hp officejet_4655_k9v79a -
hp envy_photo_6230_k7g25b -
w1.fi hostapd *
hp envy_4509_d3p94a -
hp envy_photo_7100_z3m52a -
hp envy_100_cn518a -
hp envy_6052_5se18a -
hp hp_officejet_4652_f1j02a -
hp hp_officejet_4658_v6d30b -
hp envy_4524_f0v71b -
hp envy_5539 -
hp envy_photo_6200_y0k15a -
hp hp_officejet_4650_e6g87a -
epson ew-m970a3t -
hp deskjet_ink_advantage_4675_f1h97c -
hp envy_photo_7164_k7g99a -
hp deskjet_ink_advantage_4535_f0v64a -
hp hp_envy_4520_e6g67b -
hp envy_pro_6455_5se45a -
hp hp_officejet_4654_f1j07b -
hp envy_5000_m2u85b -
hp envy_pro_6420_6wd16a -
hp envy_photo_6200_k7s21b -
hp envy_6540_b9s59a -
fedoraproject fedora 32
hp 5030_m2u92b -
hp envy_4502_a9t87b -
hp officejet_4650_f1h96b -
hp hp_deskjet_ink_advantage_4535_f0v64b -
hp officejet_4655_k9v82b -
hp envy_5020_m2u91b -
epson m571t -
hp envy_4528_k9t08b -
hp envy_4524_k9t01a -
hp envy_5530 -
hp envy_100_cn517c -
hp envy_photo_7800_k7s10d -
asus rt-n11 -
hp deskjet_ink_advantage_4518 -
hp hp_envy_4524_f0v71b -
canon selphy_cp1200 -
hp envy_114_cq811b -
hp envy_4505_a9t86a -
hp hp_envy_4516_k9h52a -
hp deskjet_ink_advantage_4675_f1h97b -
hp envy_5643_b9s63a -
hp envy_5535 -
hp envy_5646_f8b05a -
hp envy_100_cn519a -
hp envy_5540_f2e72a -
hp envy_110_cq809c -
hp envy_5541_k7g89a -
hp officejet_4650_f1h96a -
hp hp_envy_4513_k9h51a -
hp hp_deskjet_ink_advantage_4536_f0v65a -
hp envy_4513_k9h51a -
hp envy_114_cq812a -
hp hp_envy_4527_j6u61b -
hp envy_photo_7830_y0g50b -
hp officejet_4654_f1j06b -
ruckussecurity zonedirector_1200 -
hp deskjet_ink_advantage_4515 -
hp envy_5540_g0v52a -
hp hp_envy_4521_k9t10b -
hp envy_pro_6420_6wd14a -
epson xp-320 -
hp officejet_4656_k9v81b -
hp envy_5665_f8b06a -
epson xp-970 -
hp hp_envy_4520_e6g67a -
hp officejet_4657_v6d29b -
hp envy_100_cn517a -
hp hp_officejet_4650_f1h96b -
hp envy_5000_z4a54a -
hp envy_4521_k9t10b -
hp hp_envy_4526_k9t05b -
hp deskjet_ink_advantage_3456_a9t84c -
hp envy_5000_m2u85a -
hp envy_4501_c8d05a -
hp deskjet_ink_advantage_3545_a9t81a -
hp envy_photo_7800_y0g42d -
hp envy_5542_k7c88a -
hp envy_4520_f0v63a -
hp envy_photo_7800_k7s00a -
epson xp-630 -
hp envy_5000_m2u91a -
epson xp-620 -
hp envy_5547_j6u64a -
hp envy_4500_a9t80a -
epson xp-340 -
hp officejet_4658_v6d30b -
dell b1165nfw -
hp hp_deskjet_ink_advantage_4678_f1h99b -
hp envy_6055_5se16a -
dlink dvg-n5412sp -
hp envy_photo_7100_k7g93a -
netgear wnhde111 -
hp hp_deskjet_ink_advantage_4535_f0v64a -
epson xp-2101 -
hp envy_photo_6222_y0k13d -
hp officejet_4652_f1j02a -
huawei hg255s -
hp envy_4527_j6u61b -
hp envy_photo_6200_k7g18a -
epson xp-2105 -
hp envy_5644_b9s65a -
hp 5034_z4a74a -
hp envy_5000_z4a74a -
hp envy_4520_f0v69a -
hp officejet_4652_f1j05b -
nec wr8165n -
debian debian_linux 10.0
hp envy_7644_e4w46a -
hp envy_5546_k7c90a -
huawei hg532e -
hp hp_envy_4528_k9t08b -
hp hp_envy_4524_k9t01a -
hp hp_envy_4520_f0v63a -
hp hp_officejet_4654_f1j06b -
hp envy_5534 -
hp envy_7640 -
hp officejet_4652_k9v84b -
hp envy_110_cq809a -
hp envy_pro_6452_5se47a -
hp envy_4524_f0v72b -
hp 5660_f8b04a -
hp envy_5642_b9s64a -
hp hp_envy_4523_j6u60b -
epson xp-241 -
hp envy_4520_f0v63b -
hp envy_5532 -
hp officejet_4654_f1j07b -
hp 5030_z4a70a -
hp hp_officejet_4652_f1j05b -
hp hp_officejet_4656_k9v81b -
hp hp_deskjet_ink_advantage_4535_f0v64c -
hp hp_deskjet_ink_advantage_4675_f1h97a -
hp deskjet_ink_advantage_4676_f1h98a -
hp envy_4516_k9h52a -
hp deskjet_ink_advantage_3545_a9t83b -
hp envy_5543_n9u88a -
hp envy_photo_7100_k7g99a -
hp envy_111_cq810a -
cisco wap351 -
debian debian_linux 9.0
hp envy_4507_e6g70b -
hp hp_deskjet_ink_advantage_4538_f0v66b -
hp envy_100_cn517b -
hp deskjet_ink_advantage_3546_a9t82a -
hp envy_4502_a9t85a -
hp envy_120_cz022a -
hp envy_4511_k9h50a -
hp envy_photo_7155_z3m52a -
epson xp-4100 -
hp envy_5664_f8b08a -
hp envy_pro_6420_5se45b -
hp envy_5548_k7g87a -
hp envy_4526_k9t05b -
hp envy_photo_7120_z3m41d -
hp hp_officejet_4655_k9v79a -
tp-link archer_c50 -
hp envy_110_cq809d -
hp envy_120_cz022c -
hp envy_4500_a9t89a -
hp envy_5544_k7c93a -
hp envy_photo_6232_k7g26b -
zyxel amg1202-t10b -
hp envy_6020_5se17a -
hp hp_deskjet_ink_advantage_4676_f1h98a -
hp envy_4522_f0v67a -
hp envy_4503_e6g71b -
hp envy_5540_g0v53a -
hp envy_5545_g0v50a -
hp envy_5540_k7c85a -
hp envy_7645_e4w44a -
hp officejet_4650_e6g87a -
hp envy_photo_7822_y0g42d -
hp envy_4500_d3p93a -
hp envy_5640_b9s56a -
epson xp-330 -
hp envy_6020_5se16b -
hp deskjet_ink_advantage_3548_a9t81b -
hp deskjet_ink_advantage_4536_f0v65a -
hp envy_114_cq811a -
hp envy_photo_7800_y0g52b -
zte zxv10_w300 -
hp envy_4509_d3p94b -
hp envy_4504_a9t88b -
broadcom adsl -
hp envy_4520_e6g67a -
hp deskjet_ink_advantage_5575_g0v48c -
hp hp_officejet_4650_f1h96a -
hp envy_120_cz022b -
hp envy_photo_6220_k7g21b -
hp envy_4512_k9h49a -
hp envy_5000_m2u91a *
hp envy_photo_6200_y0k13d_ -
hp envy_photo_6234_k7s21b -
hp envy_110_cq812c -
hp envy_4500_a9t80b -
hp deskjet_ink_advantage_4538_f0v66b -
hp hp_officejet_4657_v6d29b -
hp envy_5540_g0v51a -
CVE-2020-24755 MEDIUM

In Ubiquiti UniFi Video v3.10.13, when the executable starts, its first library validation is in the current directory. This allows the impersonation and modification of the library to execute code on the system. This was tested in (Windows 7 x64/Windows 10 x64).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
ui unifi_video 3.10.13
CVE-2020-27888 MEDIUM

An issue was discovered on Ubiquiti UniFi Meshing Access Point UAP-AC-M 4.3.21.11325 and UniFi Controller 6.0.28 devices. Cached credentials are not erased from an access point returning wirelessly from a disconnected state. This may provide unintended network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-459,CWE-522,

Products Affected

Vendor Product Version
ui unifi_controller_firmware 6.0.28
ui unifi_meshing_access_point_firmware 4.3.21.11325
CVE-2020-8126 HIGH

A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ui edgeswitch *
CVE-2020-8144 MEDIUM

The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.4 HIGH CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.7 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
ui unifi_video *
CVE-2020-8145 MEDIUM

The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui unifi_video *
CVE-2020-8146 MEDIUM

In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the windows registry when installing UniFi-Video controller. Affected Products: UniFi Video Controller v3.10.2 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.10.3 and newer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
ui unifi_video *
CVE-2020-8148 MEDIUM

UniFi Cloud Key firmware < 1.1.6 contains a vulnerability that enables an attacker being able to change a device hostname by sending a malicious API request. This affects Cloud Key gen2 and Cloud Key gen2 Plus.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
ui cloud_key_gen2 *
ui cloud_key_gen2_plus *
CVE-2020-8157 HIGH

UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Key gen2 Plus contains a vulnerability that allows unrestricted root access through the serial interface (UART).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui unifi_cloud_key_gen2_firmware *
ui unifi_cloud_key_gen2_plus_firmware *
CVE-2020-8168 MEDIUM

We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Attackers can abuse multiple end-points not protected against cross-site request forgery (CSRF), as a result authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, such as downgrade the device's firmware to older versions, modify configuration, upload arbitrary firmware, exfiltrate files and tokens.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
ui airos *
CVE-2020-8170 MEDIUM

We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Multiple end-points with parameters vulnerable to reflected cross site scripting (XSS), allowing attackers to abuse the user' session information and/or account takeover of the admin user.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
ui airos *
CVE-2020-8171 HIGH

We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-78,

Products Affected

Vendor Product Version
ui airos *
CVE-2020-8188 MEDIUM

We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on Protect firmware v1.13.2, v1.14.9 and prior according to the description below:View only users can run certain custom commands which allows them to assign themselves unauthorized roles and escalate their privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,CWE-78,

Products Affected

Vendor Product Version
ui unifi_protect_firmware *
CVE-2020-8213 MEDIUM

An information exposure vulnerability exists in UniFi Protect before v1.13.4-beta.5 that allowed unauthenticated attackers access to valid usernames for the UniFi Protect web application via HTTP response code and response timing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,CWE-209,

Products Affected

Vendor Product Version
ui unifi_protect *
CVE-2020-8232 MEDIUM

An information disclosure vulnerability exists in EdgeMax EdgeSwitch firmware v1.9.0 that allowed read only users could obtain unauthorized information through SNMP community pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
ui edgeswitch_firmware *
CVE-2020-8233 HIGH

A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-78,

Products Affected

Vendor Product Version
opensuse backports_sle 15.0
opensuse leap 15.1
ui edgeswitch_firmware *
opensuse leap 15.2
CVE-2020-8234 HIGH

A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-613,CWE-613,

Products Affected

Vendor Product Version
ui edgemax_firmware *
CVE-2020-8267 MEDIUM

A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to send authenticated messages without a valid token.This vulnerability was fixed in UniFi Protect v1.14.11 and newer.This issue does not impact UniFi Cloud Key Gen 2 plus.This issue does not impact UDM-Pro customers with UniFi Protect stopped.Affected Products:UDM-Pro firmware 1.7.2 and earlier.UNVR firmware 1.3.12 and earlier.Mitigation:Update UniFi Protect to v1.14.11 or newer version; the UniFi Protect controller can be updated through your UniFi OS settings.Alternatively, you can update UNVR and UDM-Pro to:- UNVR firmware to 1.3.15 or newer.- UDM-Pro firmware to 1.8.0 or newer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
ui unifi_protect_firmware *
CVE-2020-8282 MEDIUM

A security issue was found in EdgePower 24V/54V firmware v1.7.0 and earlier where, due to missing CSRF protections, an attacker would have been able to perform unauthorized remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
ui edgemax_edgepower_24v_firmware *
ui edgemax_edgepower_54v_firmware *
CVE-2021-22882 MEDIUM

UniFi Protect before v1.17.1 allows an attacker to use spoofed cameras to perform a denial-of-service attack that may cause the UniFi Protect controller to crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui unifi_protect_controller *
CVE-2021-22909 HIGH

A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update. This vulnerability is fixed in EdgeMAX EdgeRouter V2.0.9-hotfix.1 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-300,CWE-295,

Products Affected

Vendor Product Version
ui edgemax_edgerouter_firmware *
CVE-2021-22943 HIGH

A vulnerability found in UniFi Protect application V1.18.1 and earlier permits a malicious actor who has already gained access to a network to subsequently control the Protect camera(s) assigned to said network. This vulnerability is fixed in UniFi Protect application V1.19.0 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
ui unifi_protect *
CVE-2021-22944 HIGH

A vulnerability found in UniFi Protect application V1.18.1 and earlier allows a malicious actor with a view-only role and network access to gain the same privileges as the owner of the UniFi Protect application. This vulnerability is fixed in UniFi Protect application V1.19.0 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui unifi_protect *
CVE-2021-22952 MEDIUM

A vulnerability found in UniFi Talk application V1.12.3 and earlier permits a malicious actor who has already gained access to a network to subsequently control Talk device(s) assigned to said network if they are not yet adopted. This vulnerability is fixed in UniFi Talk application V1.12.5 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui unifi_talk *
CVE-2021-22957 MEDIUM

A Cross-Origin Resource Sharing (CORS) vulnerability found in UniFi Protect application Version 1.19.2 and earlier allows a malicious actor who has convinced a privileged user to access a URL with malicious code to take over said user’s account.This vulnerability is fixed in UniFi Protect application Version 1.20.0 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-16,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui unifi_protect *
CVE-2021-33818 MEDIUM

An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
ui camera_g3_flex_firmware uvc.v4.30.0.67
CVE-2021-33820 MEDIUM

An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ui camera_g3_flex_firmware uvc.v4.30.0.67
CVE-2021-44527 MEDIUM

A vulnerability found in UniFi Switch firmware Version 5.43.35 and earlier allows a malicious actor who has already gained access to the network to perform a Deny of Service (DoS) attack on the affected switch.This vulnerability is fixed in UniFi Switch firmware 5.76.6 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
ui unifi_switch_firmware *
CVE-2021-44530 HIGH

An injection vulnerability exists in a third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228) allows a malicious actor to control the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-74,

Products Affected

Vendor Product Version
ui unifi_network_controller *
CVE-2022-22570 HIGH

A buffer overflow vulnerability found in the UniFi Door Access Reader Lite’s (UA Lite) firmware (Version 3.8.28.24 and earlier) allows a malicious actor who has gained access to a network to control all connected UA devices. This vulnerability is fixed in Version 3.8.31.13 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
ui ua_lite_firmware *
CVE-2022-35257

A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
ui desktop *
CVE-2022-43553

A remote code execution vulnerability in EdgeRouters (Version 2.0.9-hotfix.4 and earlier) allows a malicious actor with an operator account to run arbitrary administrator commands.This vulnerability is fixed in Version 2.0.9-hotfix.5 and later.

Products Affected

Vendor Product Version
ui edgemax_edgerouter_firmware *
ui edgemax_edgerouter_firmware 2.0.9
CVE-2022-44565

An improper access validation vulnerability exists in airMAX AC <8.7.11, airFiber 60/LR <2.6.2, airFiber 60 XG/HD <v1.0.0 and airFiber GBE <1.4.1 that allows a malicious actor to retrieve status and usage data from the UISP device.

Products Affected

Vendor Product Version
ui airmax_ac_firmware *
ui airfiber_60-hd_firmware *
ui airfiber_gigabeam_firmware *
ui airfiber_60_firmware *
ui airfiber_60-lr_firmware *
ui airfiber_60-xg_firmware *
CVE-2023-1456 HIGH

A vulnerability, which was classified as critical, has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. This issue affects some unknown processing of the component NAT Configuration Handler. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier VDB-223301 was assigned to this vulnerability. NOTE: The vendor position is that post-authentication issues are not accepted as vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-77,

Products Affected

Vendor Product Version
ui edgerouter_x_firmware 2.0.9
CVE-2023-1457 HIGH

A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. Affected is an unknown function of the component Static Routing Configuration Handler. The manipulation of the argument next-hop-interface leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. VDB-223302 is the identifier assigned to this vulnerability. NOTE: The vendor position is that post-authentication issues are not accepted as vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-77,

Products Affected

Vendor Product Version
ui edgerouter_x_firmware 2.0.9
CVE-2023-1458 HIGH

A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Affected by this vulnerability is an unknown functionality of the component OSPF Handler. The manipulation of the argument area leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The associated identifier of this vulnerability is VDB-223303. NOTE: The vendor position is that post-authentication issues are not accepted as vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-77,

Products Affected

Vendor Product Version
ui edgerouter_x_firmware 2.0.9
CVE-2023-23119

The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes Ubiquiti airFiber AF2X Radio firmware version 3.2.2 and earlier vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new firmware image and bypass the checksum verification.

Products Affected

Vendor Product Version
ui af-2x_firmware *
CVE-2023-2373 MEDIUM

A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown part of the component Web Management Interface. The manipulation of the argument ecn-up leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227649 was assigned to this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ui edgemax_edgerouter_firmware *
ui edgemax_edgerouter_firmware 2.0.9
CVE-2023-2374 MEDIUM

A vulnerability has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6 and classified as critical. This vulnerability affects unknown code of the component Web Management Interface. The manipulation of the argument ecn-down leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227650 is the identifier assigned to this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ui er-x_firmware 2.0.9
ui er-x-sfp_firmware 2.0.9
ui er-x-sfp_firmware *
ui er-x_firmware *
CVE-2023-2375 MEDIUM

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6 and classified as critical. This issue affects some unknown processing of the component Web Management Interface. The manipulation of the argument src leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-227651.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ui er-x_firmware 2.0.9
ui er-x-sfp_firmware 2.0.9
ui er-x-sfp_firmware *
ui er-x_firmware *
CVE-2023-2376 MEDIUM

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. It has been classified as critical. Affected is an unknown function of the component Web Management Interface. The manipulation of the argument dpi leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227652.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ui er-x_firmware 2.0.9
ui er-x-sfp_firmware 2.0.9
ui er-x-sfp_firmware *
ui er-x_firmware *
CVE-2023-2377 MEDIUM

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Web Management Interface. The manipulation of the argument name leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227653 was assigned to this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ui er-x_firmware 2.0.9
ui er-x-sfp_firmware 2.0.9
ui er-x-sfp_firmware *
ui er-x_firmware *
CVE-2023-2378 MEDIUM

A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Web Management Interface. The manipulation of the argument suffix-rate-up leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-227654 is the identifier assigned to this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ui er-x_firmware 2.0.9
ui er-x-sfp_firmware 2.0.9
ui er-x-sfp_firmware *
ui er-x_firmware *
CVE-2023-2379 HIGH

A vulnerability classified as critical has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown part of the component Web Service. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-227655.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-404,CWE-404,

Products Affected

Vendor Product Version
ui er-x_firmware 2.0.9
ui er-x-sfp_firmware 2.0.9
ui er-x-sfp_firmware *
ui er-x_firmware *
CVE-2023-23912

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
ui er-10x_firmware 2.0.9
ui er-8-xg_firmware 2.0.9
ui er-6p_firmware *
ui er-8-xg_firmware *
ui er-x-sfp_firmware *
ui er-12_firmware 2.0.9
ui er-12p_firmware *
ui er-12_firmware *
ui usg_firmware *
ui er-6p_firmware 2.0.9
ui er-12p_firmware 2.0.9
ui er-4_firmware *
ui usg-pro-4_firmware *
ui er-x_firmware 2.0.9
ui er-10x_firmware *
ui er-4_firmware 2.0.9
ui er-x-sfp_firmware 2.0.9
ui er-x_firmware *
CVE-2023-24104

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ui unifi_dream_machine_pro_firmware 7.2.95
CVE-2023-28122

A local privilege escalation (LPE) vulnerability in UI Desktop for Windows (Version 0.59.1.71 and earlier) allows a malicious actor with local access to a Windows device running said application to submit arbitrary commands as SYSTEM.This vulnerability is fixed in Version 0.62.3 and later.

Products Affected

Vendor Product Version
ui desktop *
CVE-2023-28123

A permission misconfiguration in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow an user to hijack VPN credentials while UID VPN is starting.This vulnerability is fixed in Version 0.62.3 and later.

Products Affected

Vendor Product Version
ui desktop *
CVE-2023-28124

Improper usage of symmetric encryption in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow users with access to UI Desktop configuration files to decrypt their content.This vulnerability is fixed in Version 0.62.3 and later.

Products Affected

Vendor Product Version
ui desktop *
CVE-2023-28365

A backup file vulnerability found in UniFi applications (Version 7.3.83 and earlier) running on Linux operating systems allows application administrators to execute malicious commands on the host device being restored.

Products Affected

Vendor Product Version
ui unifi *
ui unifi_network_application *
CVE-2023-31997

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus.

Products Affected

Vendor Product Version
ui unifi_os 3.1
CVE-2023-31998

A heap overflow vulnerability found in EdgeRouters and Aircubes allows a malicious actor to interrupt UPnP service to said devices.

Products Affected

Vendor Product Version
ui aircube_firmware *
ui edgemax_edgerouter_firmware 2.0.9
CVE-2023-32000

A Cross-Site Scripting (XSS) vulnerability found in UniFi Network (Version 7.3.83 and earlier) allows a malicious actor with Site Administrator credentials to escalate privileges by persuading an Administrator to visit a malicious web page.

Products Affected

Vendor Product Version
ui unifi_network_application *
CVE-2023-35085

An integer overflow vulnerability in all UniFi Access Points and Switches, excluding the Switch Flex Mini, with SNMP Monitoring and default settings enabled could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.50 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update the UniFi Switches to Version 6.5.59 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ui unifi_uap_firmware *
ui unifi_switch_firmware *
CVE-2023-38034

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ui unifi_uap_firmware *
ui unifi_switch_firmware *
CVE-2023-41721

Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to device configuration information by a malicious actor with preexisting access to the network. Affected Products: UDM UDM-PRO UDM-SE UDR UDW Mitigation: Update UniFi Network to Version 7.5.187 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
ui unifi_network_application *
CVE-2025-52665

A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.  Affected Products: UniFi Access Application (Version 3.3.22 through 3.4.31). 
 Mitigation: Update your UniFi Access Application to Version 4.0.21 or later.

Products Affected

Vendor Product Version
ui unifi_access *
CVE-2025-59467

A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. Affected Products: UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier) Mitigation: Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
support@hackerone.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
ui argentina_afip_invoices *
CVE-2026-21633

A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
support@hackerone.com 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
ui unifi_protect *
CVE-2026-21634

A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart. Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
support@hackerone.com 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
ui unifi_protect *
CVE-2026-21635

An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
support@hackerone.com 5.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
ui unifi_connect_ev_station_lite_firmware *
CVE-2026-21638

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
support@hackerone.com 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
ui udb-pro_firmware *
ui ubb_firmware *
ui udb-pro-sector_firmware *
ui ubb-xg_firmware *
CVE-2026-21639

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) airFiber AF60-XG (Version 1.2.2 and earlier) airFiber AF60 (Version 2.6.7 and earlier) Mitigation: Update your airMAX AC to Version 8.7.21 or later. Update your airMAX M to Version 6.3.24 or later. Update your airFiber AF60-XG to Version 1.2.3 or later. Update your airFiber AF60 to Version 2.6.8 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
ui airmax_ac_firmware *
ui airfiber_af60_firmware *
ui airmax_m_firmware *
ui airfiber_af60-xg_firmware *