8.8

CVE-2023-27917

OS command injection vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker who can access Network Maintenance page to execute arbitrary OS commands with a root privilege. The affected products and versions are as follows: M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (CPS-MC341-ADSC1-111, CPS-MC341-ADSC1-931, CPS-MC341-ADSC2-111, CPS-MC341G-ADSC1-110, CPS-MC341Q-ADSC1-111, CPS-MC341-DS1-111, CPS-MC341-DS11-111, CPS-MC341-DS2-911, and CPS-MC341-A1-111), and M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (CPS-MCS341-DS1-111, CPS-MCS341-DS1-131, CPS-MCS341G-DS1-130, CPS-MCS341G5-DS1-130, and CPS-MCS341Q-DS1-131).

Data is provided by the National Vulnerability Database (NVD)
ContecCps-mg341-adsc1-111 Firmware Version <= 3.7.10
   ContecCps-mg341-adsc1-111 Version-
ContecCps-mg341-adsc1-931 Firmware Version <= 3.7.10
   ContecCps-mg341-adsc1-931 Version-
ContecCps-mg341g-adsc1-111 Firmware Version <= 3.7.10
   ContecCps-mg341g-adsc1-111 Version-
ContecCps-mg341g-adsc1-930 Firmware Version <= 3.7.10
   ContecCps-mg341g-adsc1-930 Version-
ContecCps-mg341g5-adsc1-931 Firmware Version <= 3.7.10
   ContecCps-mg341g5-adsc1-931 Version-
ContecCps-mc341-adsc1-111 Firmware Version <= 3.7.6
   ContecCps-mc341-adsc1-111 Version-
ContecCps-mc341-adsc1-931 Firmware Version <= 3.7.6
   ContecCps-mc341-adsc1-931 Version-
ContecCps-mc341-adsc2-111 Firmware Version <= 3.7.6
   ContecCps-mc341-adsc2-111 Version-
ContecCps-mc341g-adsc1-110 Firmware Version <= 3.7.6
   ContecCps-mc341g-adsc1-110 Version-
ContecCps-mc341q-adsc1-111 Firmware Version <= 3.7.6
   ContecCps-mc341q-adsc1-111 Version-
ContecCps-mc341-ds1-111 Firmware Version <= 3.7.6
   ContecCps-mc341-ds1-111 Version-
ContecCps-mc341-ds11-111 Firmware Version <= 3.7.6
   ContecCps-mc341-ds11-111 Version-
ContecCps-mc341-ds2-911 Firmware Version <= 3.7.6
   ContecCps-mc341-ds2-911 Version-
ContecCps-mc341-a1-111 Firmware Version <= 3.7.6
   ContecCps-mc341-a1-111 Version-
ContecCps-mcs341-ds1-111 Firmware Version <= 3.8.8
   ContecCps-mcs341-ds1-111 Version-
ContecCps-mcs341-ds1-131 Firmware Version <= 3.8.8
   ContecCps-mcs341-ds1-131 Version-
ContecCps-mcs341g-ds1-130 Firmware Version <= 3.8.8
   ContecCps-mcs341g-ds1-130 Version-
ContecCps-mcs341g5-ds1-130 Firmware Version <= 3.8.8
   ContecCps-mcs341g5-ds1-130 Version-
ContecCps-mcs341q-ds1-131 Firmware Version <= 3.8.8
   ContecCps-mcs341q-ds1-131 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.53% 0.845
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.