Vulnerabilities (CVE)

Filtered by vendor Fruitywifi Project Subscribe
Filtered by product Fruitywifi
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-24849 1 Fruitywifi Project 1 Fruitywifi 2024-11-21 6.5 MEDIUM 8.8 HIGH
A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317.
CVE-2020-24848 1 Fruitywifi Project 1 Fruitywifi 2024-11-21 7.2 HIGH 7.8 HIGH
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-24847 1 Fruitywifi Project 1 Fruitywifi 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase.
CVE-2018-19168 1 Fruitywifi Project 1 Fruitywifi 2024-11-21 10.0 HIGH 9.8 CRITICAL
Shell Metacharacter Injection in www/modules/save.php in FruityWifi (aka PatatasFritas/PatataWifi) through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted mod_name parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid session.
CVE-2018-17317 1 Fruitywifi Project 1 Fruitywifi 2024-11-21 7.5 HIGH 9.8 CRITICAL
FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php.