CVE-2021-20123
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 17, 2020
- Published Date
- October 13, 2021
- Last Updated
- September 03, 2024
- Vendor
- n/a
- Product
- Draytek VigorConnect
- Description
- A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
CVSS Scores
CVSS v3.1
7.5 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- partial
Exploit Status
- Exploited in the Wild
- Yes (added 2024-09-03 00:00:00 UTC) Source
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2024-09-03 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-20123.yaml | 2025-04-26 00:00:00 UTC |