CVE-2023-6265 MEDIUM

CVE-2023-6265: DrayTek Vigor2960 mainfunction.cgi dumpSyslog 'option' directory traversal

Vendor Draytek
Product Vigor2960
Weakness CWE-22 · Path traversal
Published November 22, 2023
Last update August 2, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

** UNSUPPORTED WHEN ASSIGNED ** Draytek Vigor2960 v1.5.1.4 and v1.5.1.5 are vulnerable to directory traversal via the mainfunction.cgi dumpSyslog 'option' parameter allowing an authenticated attacker with access to the web management interface to delete arbitrary files. Vigor2960 is no longer supported.

Key dates

02Disclosure timeline

November 22, 2023 CVE published
August 2, 2024 Record updated