Skip to content

The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0...

Critical severity Unreviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Jan 29, 2023

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network.

References

Published by the National Vulnerability Database Mar 16, 2021
Published to the GitHub Advisory Database May 24, 2022
Last updated Jan 29, 2023

Severity

Critical

EPSS score

0.315%
(71st percentile)

Weaknesses

CVE ID

CVE-2020-28899

GHSA ID

GHSA-345j-gpg7-fhmx

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.