GCVE - cpe:2.3:h:peplink:balance_1350:-:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:h:peplink:balance_1350:-:*:*:*:*:*:*:*

part: h version: - update: *

Vendor	Peplink (`7fd66203-db7b-5fc4-b96c-b7b360912c0b`)
Product	Balance 1350 (`69f8bc3a-57fc-575c-8726-c12f46daa0f8`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2017-8841`	not_vulnerable	2026-06-03 14:37:40.710167	Details available Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmware_process.cgi via the upfile.path parameter. Published: 2017-06-05T14:00:00.000Z Updated: 2024-08-05T16:48:22.693Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2017/Jun/1 https://www.exploit-db.com/exploits/42130/ https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-8840`	not_vulnerable	2026-06-03 14:37:40.709327	Details available Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid. Published: 2017-06-05T14:00:00.000Z Updated: 2024-08-05T16:48:22.728Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2017/Jun/1 https://www.exploit-db.com/exploits/42130/ https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-8839`	not_vulnerable	2026-06-03 14:37:40.708538	Details available XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi. Published: 2017-06-05T14:00:00.000Z Updated: 2024-08-05T16:48:22.737Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2017/Jun/1 https://www.exploit-db.com/exploits/42130/ https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-8838`	not_vulnerable	2026-06-03 14:37:40.707570	Details available XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is cgi-bin/HASync/hasync.cgi. Published: 2017-06-05T14:00:00.000Z Updated: 2024-08-05T16:48:22.692Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2017/Jun/1 https://www.exploit-db.com/exploits/42130/ https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-8837`	not_vulnerable	2026-06-03 14:37:40.706783	Details available Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The files in question are /etc/waipass and /etc/roapass. In case one of these devices is compromised, the attacker can gain access to passwords and abuse them to compromise further systems. Published: 2017-06-05T14:00:00.000Z Updated: 2024-08-05T16:48:22.755Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2017/Jun/1 https://www.exploit-db.com/exploits/42130/ https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-8836`	not_vulnerable	2026-06-03 14:37:40.705956	Details available CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Published: 2017-06-05T14:00:00.000Z Updated: 2024-08-05T16:48:22.680Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2017/Jun/1 https://www.exploit-db.com/exploits/42130/ https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-8835`	not_vulnerable	2026-06-03 14:37:40.703790	Details available SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database. Published: 2017-06-05T14:00:00.000Z Updated: 2024-08-05T16:48:22.700Z Open on db.gcve.eu Reference links http://seclists.org/bugtraq/2017/Jun/1 https://www.exploit-db.com/exploits/42130/ https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.