Vulnerabilities (CVE)

Filtered by vendor Mofinetwork Subscribe
Filtered by product Mofi4500-4gxelte
Total 10 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-15836 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function passes untrusted data to the operating system without proper sanitization. A crafted request can be sent to execute arbitrary commands as root.
CVE-2020-15835 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function contains undocumented code that provides the ability to authenticate as root without knowing the actual root password. An adversary with the private key can remotely authenticate to the management interface as root.
CVE-2020-15834 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management interface.
CVE-2020-15833 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The Dropbear SSH daemon has been modified to accept an alternate hard-coded path to a public key that allows root access. This key is stored in a /rom location that cannot be modified by the device owner.
CVE-2020-15832 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 7.8 HIGH 7.5 HIGH
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The poof.cgi script contains undocumented code that provides the ability to remotely reboot the device. An adversary with the private key (but not the root password) can remotely reboot the device.
CVE-2020-13860 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password.
CVE-2020-13859 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature.
CVE-2020-13858 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password is not unique across installations.
CVE-2020-13857 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 7.8 HIGH 7.5 HIGH
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request.
CVE-2020-13856 1 Mofinetwork 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes.