10

CVE-2021-38528

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D8500 before 1.0.3.58, R6900P before 1.3.2.132, R7000P before 1.3.2.132, R7100LG before 1.0.0.64, WNDR3400v3 before 1.0.1.38, and XR300 before 1.0.3.56.

Data is provided by the National Vulnerability Database (NVD)
NetgearD8500 Firmware Version < 1.0.3.58
   NetgearD8500 Version-
NetgearR6900p Firmware Version < 1.3.2.132
   NetgearR6900p Version-
NetgearR7000p Firmware Version < 1.3.2.132
   NetgearR7000p Version-
NetgearR7100lg Firmware Version < 1.0.0.64
   NetgearR7100lg Version-
NetgearWndr3400 Firmware Version < 1.0.1.38
   NetgearWndr3400 Versionv3
NetgearXr300 Firmware Version < 1.0.3.56
   NetgearXr300 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.93% 0.859
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
cve@mitre.org 9.6 2.8 6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.