CVE-2023-31447

user_login.cgi on Draytek Vigor2620 devices before 3.9.8.4 (and on all versions of Vigor2925 devices) allows attackers to send a crafted payload to modify the content of the code segment, insert shellcode, and execute arbitrary code.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:h:draytek:vigor2620:-:*:*:*:*:*:*:*
cpe:2.3:o:draytek:vigor2620_firmware:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:h:draytek:vigor2625:-:*:*:*:*:*:*:*
cpe:2.3:o:draytek:vigor2625_firmware:*:*:*:*:*:*:*:*

History

07 Oct 2024, 19:36

Type Values Removed Values Added
CWE CWE-94

30 Aug 2023, 20:50

Type Values Removed Values Added
References (MISC) https://gist.github.com/rrrrrrri/013c9eef64b265af4163478bfcf29ff4 - (MISC) https://gist.github.com/rrrrrrri/013c9eef64b265af4163478bfcf29ff4 - Third Party Advisory
References (MISC) https://draytek.com - (MISC) https://draytek.com - Product
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
First Time Draytek vigor2620
Draytek
Draytek vigor2625
Draytek vigor2620 Firmware
Draytek vigor2625 Firmware
CPE cpe:2.3:o:draytek:vigor2620_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:draytek:vigor2625:-:*:*:*:*:*:*:*
cpe:2.3:o:draytek:vigor2625_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:draytek:vigor2620:-:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo

21 Aug 2023, 18:35

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-21 17:15

Updated : 2024-10-07 19:36


NVD link : CVE-2023-31447

Mitre link : CVE-2023-31447

CVE.ORG link : CVE-2023-31447


JSON object : View

Products Affected

draytek

  • vigor2625
  • vigor2620_firmware
  • vigor2620
  • vigor2625_firmware
CWE
NVD-CWE-noinfo CWE-94

Improper Control of Generation of Code ('Code Injection')