VYPR
Vendor

Mimosa

Products
6
CVEs
10
Across products
20
Status
Private

Products

6

Recent CVEs

10
  • CVE-2017-9135HigMay 21, 2017
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered on Mimosa Client Radios before 2.2.4 and Mimosa Backhaul Radios before 2.2.4. On the backend of the device's web interface, there are some diagnostic tests available that are not displayed on the webpage; these are only accessible by crafting a POST…

  • CVE-2017-9133HigMay 21, 2017
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimosa Backhaul Radios before 2.2.3. In the device's web interface, after logging in, there is a page that allows you to ping other hosts from the device and view the results. The user is allowed to specify which…

  • CVE-2017-9136HigMay 21, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered on Mimosa Client Radios before 2.2.3. In the device's web interface, there is a page that allows an attacker to use an unsanitized GET parameter to download files from the device as the root user. The attacker can download any file from the device's…

  • CVE-2017-9134HigMay 21, 2017
    risk 0.49cvss 7.5epss 0.01

    An information-leakage issue was discovered on Mimosa Client Radios before 2.2.3 and Mimosa Backhaul Radios before 2.2.3. There is a page in the web interface that will show you the device's serial number, regardless of whether or not you have logged in. This information-leakage…

  • CVE-2017-9132HigMay 21, 2017
    risk 0.49cvss 7.5epss 0.01

    A hard-coded credentials issue was discovered on Mimosa Client Radios before 2.2.3, Mimosa Backhaul Radios before 2.2.3, and Mimosa Access Points before 2.2.3. These devices run Mosquitto, a lightweight message broker, to send information between devices. By using the vendor's…

  • CVE-2017-9131HigMay 21, 2017
    risk 0.49cvss 7.5epss 0.03

    An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimosa Backhaul Radios before 2.2.3. By connecting to the Mosquitto broker on an access point and one of its clients, an attacker can gather enough information to craft a command that reboots the client remotely…

  • CVE-2020-25206Jul 20, 2021
    risk 0.02cvss epss 0.05

    The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 allows authenticated command injection in the Throughput, WANStats, PhyStats, and QosStats API classes. An attacker with access to a web console account may execute operating system commands on affected devices…

  • CVE-2022-21196Feb 18, 2022
    risk 0.00cvss epss 0.04

    MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API…

  • CVE-2022-21215Feb 18, 2022
    risk 0.00cvss epss 0.01

    This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages that could perform some actions themselves. The attacker could force the server…

  • CVE-2020-25205Jul 20, 2021
    risk 0.00cvss epss 0.01

    The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php. An unauthenticated attacker may set the contents of the /mnt/jffs2/banner.txt file, stored on the device's…