CVE has been recently published to the CVE List and has been received by the NVD.
Products
Zyxel NWA1123ACv3
- 6.70(ABVT.4) and earlier
WAC500
- 6.70(ABVS.4) and earlier
WAX655E
- 7.00(ACDO.1) and earlier
WBE530
- 7.00(ACLE.1) and earlier
USG LITE 60AX
- V2.00(ACIP.2)
Source
security@zyxel.com.tw
Tags
CVE-2024-7261 details
Last Modified : Sept. 3, 2024, 12:59 p.m.
Description
The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9.8 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
9.8
Exploitability Score
3.9
Impact Score
5.9
Base Severity
CRITICAL
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H