CVE-2023-5372

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:41

Type Values Removed Values Added
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products-01-30-2024 - Vendor Advisory () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products-01-30-2024 - Vendor Advisory

05 Feb 2024, 22:05

Type Values Removed Values Added
First Time Zyxel nas326
Zyxel nas542
Zyxel
Zyxel nas542 Firmware
Zyxel nas326 Firmware
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products-01-30-2024 - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products-01-30-2024 - Vendor Advisory
CPE cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*

30 Jan 2024, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-30 01:15

Updated : 2024-11-21 08:41


NVD link : CVE-2023-5372

Mitre link : CVE-2023-5372

CVE.ORG link : CVE-2023-5372


JSON object : View

Products Affected

zyxel

  • nas326
  • nas542_firmware
  • nas542
  • nas326_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')