8.1
CVE-2023-22913
- EPSS 0.95%
- Published 24.04.2023 17:15:09
- Last modified 21.11.2024 07:45:38
- Source security@zyxel.com.tw
- Teams watchlist Login
- Open Login
A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device.
Data is provided by the National Vulnerability Database (NVD)
Zyxel ≫ Usg Flex 100 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Usg Flex 100w Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Usg Flex 200 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Usg Flex 50 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Usg Flex 50w Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Usg Flex 500 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Usg Flex 700 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Vpn100 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Vpn1000 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Vpn300 Firmware Version >= 4.50 <= 5.35
Zyxel ≫ Vpn50 Firmware Version >= 4.50 <= 5.35
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.95% | 0.742 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
|
| security@zyxel.com.tw | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
|
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.