9.8критическая
CVE-2024-7261
Описание
The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4)
and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1)
and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
Затрагиваемое ПО
Zyxel Nwa110ax firmwareZyxel Nwa110axZyxel Nwa1123-ac pro firmwareZyxel Nwa1123-ac proZyxel Nwa1123acv3 firmwareZyxel Nwa1123acv3Zyxel Nwa130be firmwareZyxel Nwa130beZyxel Nwa210ax firmwareZyxel Nwa210axZyxel Nwa220ax-6e firmwareZyxel Nwa220ax-6eZyxel Nwa50ax firmwareZyxel Nwa50axZyxel Nwa50ax pro firmwareZyxel Nwa50ax proZyxel Nwa55axe firmwareZyxel Nwa55axeZyxel Nwa90ax firmwareZyxel Nwa90axZyxel Nwa90ax pro firmwareZyxel Nwa90ax proZyxel Usg lite 60ax firmwareZyxel Usg lite 60axZyxel Wac500 firmware
CVSS
| Балл | 9.8 — критическая |
| Вектор | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Источники
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024