Vulnerability Description
The CGI endpoints v2x00.cgi and cgiwcg.cgi of DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters passed through POST requests to the strncpy function.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Draytek | Vigor2620 Firmware | All versions |
| Draytek | Vigor2620 | - |
| Draytek | Vigor2915 Firmware | < 4.4.5.3 |
| Draytek | Vigor2915 | - |
| Draytek | Vigor2866 Firmware | < 4.4.5.2 |
| Draytek | Vigor2866 | - |
| Draytek | Vigor2766 Firmware | < 4.4.5.3 |
| Draytek | Vigor2766 | - |
| Draytek | Vigor2865 Firmware | < 4.4.5.2 |
| Draytek | Vigor2865 | - |
| Draytek | Vigor2765 Firmware | < 4.4.5.3 |
| Draytek | Vigor2765 | - |
| Draytek | Vigor2763 Firmware | < 4.4.5.3 |
| Draytek | Vigor2763 | - |
| Draytek | Vigor2135 Firmware | < 4.4.5.3 |
| Draytek | Vigor2135 | - |
| Draytek | Vigor166 Firmware | < 4.2.7 |
| Draytek | Vigor166 | - |
| Draytek | Vigor3912 Firmware | < 4.3.6.1 |
| Draytek | Vigor3912 | - |
Related Weaknesses (CWE)
References
- https://www.forescout.com/resources/draybreak-draytek-research/MitigationTechnical DescriptionThird Party Advisory
- https://www.forescout.com/resources/draytek14-vulnerabilitiesBroken Link
FAQ
What is CVE-2024-41588?
CVE-2024-41588 is a vulnerability with a CVSS score of 8.0 (HIGH). The CGI endpoints v2x00.cgi and cgiwcg.cgi of DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters pas...
How severe is CVE-2024-41588?
CVE-2024-41588 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-41588?
Check the references section above for vendor advisories and patch information. Affected products include: Draytek Vigor2620 Firmware, Draytek Vigor2620, Draytek Vigor2915 Firmware, Draytek Vigor2915, Draytek Vigor2866 Firmware.