CVE-2020-14993

Name of the Vulnerable Software and Affected Versions DrayTek Vigor2960 versions prior to 1.5.1.1 DrayTek Vigor3900 versions prior to 1.5.1.1 DrayTek Vigor300B versions prior to 1.5.1.1

Description The issue is related to a stack-based buffer overflow in the mainfunction.cgi script of the DrayTek Vigor web interface. This can be exploited by remote attackers to execute arbitrary code when the formuserphonenumber parameter is processed in an authusersms action to "mainfunction.cgi".

Recommendations For DrayTek Vigor2960 versions prior to 1.5.1.1, update to version 1.5.1.1 or later. For DrayTek Vigor3900 versions prior to 1.5.1.1, update to version 1.5.1.1 or later. For DrayTek Vigor300B versions prior to 1.5.1.1, update to version 1.5.1.1 or later. As a temporary workaround, consider restricting access to the "mainfunction.cgi" script until a patch is available. Avoid using the formuserphonenumber parameter in the affected API endpoint until the issue is resolved.