CVE-2024-29976
Severity CVSS v4.0:
Pending analysis
Type:
CWE-269
Improper Privilege Management
Publication date:
04/06/2024
Last modified:
22/01/2025
Description
** UNSUPPORTED WHEN ASSIGNED **<br />
The improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:* | 5.21\(aazf.17\)c0 (excluding) | |
| cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:* | 5.21\(abag.14\)c0 (excluding) | |
| cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
- https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024