CVE-2023-35138

Severity CVSS v4.0:
Pending analysis
Type:
CWE-78 OS Command Injections
Publication date:
30/11/2023
Last modified:
05/12/2023

Description

A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:* 5.21\(aazf.14\)c0 (including)
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:* 5.21\(abag.11\)c0 (including)
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*