Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NPeplink Intcontrol 2
APPPeplink≤ 2.14.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Powiązane podatności
CVE-2023-39367CRITICAL9.1PL ✓ten sam vendor
OS command injection w interfejsie web Peplink Smart Reader (mac2name)
CVE-2017-8837CRITICAL9.8ten sam vendor
Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware ...
CVE-2017-8835CRITICAL9.8ten sam vendor
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b30...
CVE-2023-45744HIGH8.3ten sam vendor
A data integrity vulnerability exists in the web interface /cgi-bin/upload_config.cgi functionality of Peplink...
CVE-2023-49230HIGH8.8ten sam vendor
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals ...