CVE-2023-35138
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
30/11/2023
Last modified:
05/12/2023
Description
A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:* | 5.21\(aazf.14\)c0 (including) | |
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:* | ||
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:* | 5.21\(abag.11\)c0 (including) | |
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page