Vulnerability Details CVE-2023-49253 Type: Use of Hard-coded Credentials (CWE-798) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49254 Type: OS Command Injection (CWE-78) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49255 Type: Missing Authentication for Critical Function (CWE-306) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49256 Type: Use of Hard-coded Cryptographic Key (CWE-321) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49257 Type: Unrestricted Upload of File with Dangerous Type (CWE-434) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49258 Type: Cross-site Scripting (CWE-79) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49259 Type: Predictable from Observable State (CWE-341) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49260 Type: Cross-site Scripting (CWE-79) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49261 Type: Insertion of Sensitive Information Into Sent Data (CWE-201) Affected Version: H8951-4G-ESP, build up to 2310271149 CVE-2023-49262 Type: Integer Overflow or Wraparound (CWE-190) Affected Version: H8951-4G-ESP, build up to 2310271149 Report Source Reporting Body: CERT Poland Report Date: January 12, 2024 Acknowledgment: Thanks to Robert Pogorzelski from SEQRED for the report. Vulnerability Description This page details 12 vulnerabilities affecting the Hongdian H8951-4G-ESP router, including hard-coded credentials, command injection, missing authentication, hard-coded cryptographic keys, unrestricted upload of dangerous file types, cross-site scripting, predictable values from observable state, sensitive information leakage in transmitted data, and integer overflow. These vulnerabilities affect specific firmware versions of the device; users are advised to monitor for and apply patches released by the manufacturer.