CVE-2023-37927

The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:12

Type Values Removed Values Added
References () https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices/ - () https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices/ -
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - Patch, Vendor Advisory () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - Patch, Vendor Advisory

06 Dec 2023, 01:15

Type Values Removed Values Added
References
  • () https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices/ -

05 Dec 2023, 18:30

Type Values Removed Values Added
First Time Zyxel nas542
Zyxel
Zyxel nas326 Firmware
Zyxel nas326
Zyxel nas542 Firmware
CPE cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - Patch, Vendor Advisory

30 Nov 2023, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-30 02:15

Updated : 2024-11-21 08:12


NVD link : CVE-2023-37927

Mitre link : CVE-2023-37927

CVE.ORG link : CVE-2023-37927


JSON object : View

Products Affected

zyxel

  • nas326
  • nas542_firmware
  • nas542
  • nas326_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')