7.2
CVE-2023-26213
- EPSS 4.85%
- Veröffentlicht 03.03.2023 22:15:09
- Zuletzt bearbeitet 07.03.2025 16:15:37
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginOn Barracuda CloudGen WAN Private Edge Gateway devices before 8 webui-sdwan-1089-8.3.1-174141891, an OS command injection vulnerability exists in /ajax/update_certificate - a crafted HTTP request allows an authenticated attacker to execute arbitrary commands. For example, a name field can contain :password and a password field can contain shell metacharacters.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Barracuda ≫ T100b Firmware Version8.3.1 Update-
Barracuda ≫ T200c Firmware Version8.3.1 Update-
Barracuda ≫ T400c Firmware Version8.3.1 Update-
Barracuda ≫ T600d Firmware Version8.3.1 Update-
Barracuda ≫ T900b Firmware Version8.3.1 Update-
Barracuda ≫ T93a Firmware Version8.3.1 Update-
Barracuda ≫ T193a Firmware Version8.3.1 Update-
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.85% | 0.892 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.