Vulnerability Note VU#101462
DrayTek Vigor 2700 ADSL router contains a command injection vulnerability
DrayTek Vigor 2700 ADSL router version 2.8.3 and possibly earlier versions contain a command injection vulnerability via malicious SSID (CWE-77).
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An attacker within range of the DrayTek Vigor ADSL router can edit the SSID on their malicious access point to corrupt the variables.js file. This may cause the DrayTek router to call external scripts or make unauthorized changes to the settings, which may include poisoning the DNS cache.
We are currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|DrayTek Corporation||Affected||06 Sep 2013||10 Oct 2013|
CVSS Metrics (Learn More)
Thanks to Juraj Kosik for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-5703
- Date Public: 22 Oct 2013
- Date First Published: 22 Oct 2013
- Date Last Updated: 22 Oct 2013
- Document Revision: 25
If you have feedback, comments, or additional information about this vulnerability, please send us email.