CVE-2023-25643

EPSS 0.28%
Veröffentlicht 14.12.2023 08:15:38
Zuletzt bearbeitet 21.11.2024 07:49:51
Quelle psirt@zte.com.cn
Teams Watchlist Login
Unerledigt Login



There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zte ≫ Mc801a Firmware Versionmc801a_elisa3_b19

Zte ≫ Mc801a Version-

Zte ≫ Mc801a1 Firmware Versionmc801a1_elisa1_b04

Zte ≫ Mc801a1 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.51

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
psirt@zte.com.cn	8.4	1.7	6	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-25643

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-25643

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-25643

EUVD