7.2
CVE-2023-43744
- EPSS 0.19%
- Published 08.12.2023 01:15:07
- Last modified 21.11.2024 08:24:42
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.
Data is provided by the National Vulnerability Database (NVD)
Zultys ≫ Mx-se Firmware Version < 16.0.4
Zultys ≫ Mx-se Firmware Version >= 17.0.6 < 17.0.10
Zultys ≫ Mx-se Ii Firmware Version < 16.0.4
Zultys ≫ Mx-se Ii Firmware Version >= 17.0.6 < 17.0.10
Zultys ≫ Mx-e Firmware Version < 16.0.4
Zultys ≫ Mx-e Firmware Version >= 17.0.6 < 17.0.10
Zultys ≫ Mx-virtual Firmware Version < 16.0.4
Zultys ≫ Mx-virtual Firmware Version >= 17.0.6 < 17.0.10
Zultys ≫ Mx250 Firmware Version < 16.0.4
Zultys ≫ Mx250 Firmware Version >= 17.0.6 < 17.0.10
Zultys ≫ Mx30 Firmware Version < 16.0.4
Zultys ≫ Mx30 Firmware Version >= 17.0.6 < 17.0.10
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.41 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.