8.8
CVE-2023-36489
- EPSS 0.14%
- Veröffentlicht 06.09.2023 10:15:13
- Zuletzt bearbeitet 21.11.2024 08:09:49
- Quelle vultures@jpcert.or.jp
- Teams Watchlist Login
- Unerledigt Login
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: TL-WR802N firmware versions prior to 'TL-WR802N(JP)_V4_221008', TL-WR841N firmware versions prior to 'TL-WR841N(JP)_V14_230506', and TL-WR902AC firmware versions prior to 'TL-WR902AC(JP)_V3_230506'.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tp-link ≫ Tl-wr902ac Firmware Version < 230506
Tp-link ≫ Tl-wr802n Firmware Version < 221008
Tp-link ≫ Tl-wr841n Firmware Version < 230506
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.353 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.