CVE-2023-49254

Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:hongdian:h8951-4g-esp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:hongdian:h8951-4g-esp:-:*:*:*:*:*:*:*

History

18 Jan 2024, 21:14

Type Values Removed Values Added
First Time Hongdian h8951-4g-esp
Hongdian
Hongdian h8951-4g-esp Firmware
CWE CWE-78
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
References () https://cert.pl/en/posts/2024/01/CVE-2023-49253/ - () https://cert.pl/en/posts/2024/01/CVE-2023-49253/ - Third Party Advisory
References () https://cert.pl/posts/2024/01/CVE-2023-49253/ - () https://cert.pl/posts/2024/01/CVE-2023-49253/ - Third Party Advisory
CPE cpe:2.3:o:hongdian:h8951-4g-esp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:hongdian:h8951-4g-esp:-:*:*:*:*:*:*:*

12 Jan 2024, 15:54

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-12 15:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-49254

Mitre link : CVE-2023-49254

CVE.ORG link : CVE-2023-49254


JSON object : View

Products Affected

hongdian

  • h8951-4g-esp_firmware
  • h8951-4g-esp
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')