8.4

CVE-2023-46306

The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NetmoduleNetmodule Router Software Version < 4.6.0.105
   NetmoduleNb1601 Version-
   NetmoduleNb1800 Version-
   NetmoduleNb1810 Version-
   NetmoduleNb2800 Version-
   NetmoduleNb2810 Version-
   NetmoduleNb3701 Version-
   NetmoduleNb3800 Version-
   NetmoduleNg800 Version-
NetmoduleNetmodule Router Software Version >= 4.7.0.0 < 4.7.0.103
   NetmoduleNb1601 Version-
   NetmoduleNb1800 Version-
   NetmoduleNb1810 Version-
   NetmoduleNb2800 Version-
   NetmoduleNb2810 Version-
   NetmoduleNb3701 Version-
   NetmoduleNb3800 Version-
   NetmoduleNg800 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.357
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.6 0.7 5.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
cve@mitre.org 8.4 1.7 6
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.