CVE-2023-1163

Name of the Vulnerable Software and Affected Versions DrayTek Vigor 2960 versions 1.5.1.4 through 1.5.1.5

Description A critical vulnerability has been found in the Web Management Interface of DrayTek Vigor 2960, specifically in the function getSyslogFile of the file mainfunction.cgi. The issue is related to incorrect restriction of directory path names, which can lead to path traversal. This allows a remote attacker to gain unauthorized access to confidential system files. The exploit has been disclosed to the public and may be used.

Recommendations For DrayTek Vigor 2960 versions 1.5.1.4 through 1.5.1.5, consider disabling the getSyslogFile function of the mainfunction.cgi file as a temporary workaround to minimize the risk of exploitation. Restrict access to the Web Management Interface to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.