CVE-2024-8881

A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to execute some operating system (OS) commands on an affected device by sending a crafted HTTP request.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:gs1900-8_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:gs1900-8hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8hp:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:zyxel:gs1900-10hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-10hp:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:zyxel:gs1900-16_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-16:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24e_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24e:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24ep_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24ep:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:zyxel:gs1900-24hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24hpv2:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:zyxel:gs1900-48_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:zyxel:gs1900-48hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48hpv2:-:*:*:*:*:*:*:*

History

14 Nov 2024, 13:51

Type Values Removed Values Added
CPE cpe:2.3:o:zyxel:gs1900-16_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24e_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-48hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24e:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24hpv2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-10hp:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-24ep_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8hp:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-8hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24hpv2:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-48_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-8_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-48hpv2:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-24ep:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-16:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:gs1900-10hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:gs1900-8:-:*:*:*:*:*:*:*
First Time Zyxel gs1900-8hp Firmware
Zyxel gs1900-48hpv2 Firmware
Zyxel gs1900-24e
Zyxel gs1900-10hp Firmware
Zyxel gs1900-8
Zyxel
Zyxel gs1900-24ep Firmware
Zyxel gs1900-16
Zyxel gs1900-24hpv2
Zyxel gs1900-8hp
Zyxel gs1900-24
Zyxel gs1900-24hpv2 Firmware
Zyxel gs1900-10hp
Zyxel gs1900-16 Firmware
Zyxel gs1900-48
Zyxel gs1900-24 Firmware
Zyxel gs1900-48 Firmware
Zyxel gs1900-24e Firmware
Zyxel gs1900-24ep
Zyxel gs1900-48hpv2
Zyxel gs1900-8 Firmware
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-buffer-overflow-vulnerabilities-in-gs1900-series-switches-11-12-2024 - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-buffer-overflow-vulnerabilities-in-gs1900-series-switches-11-12-2024 - Vendor Advisory

12 Nov 2024, 13:55

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de inyección de comandos posterior a la autenticación en el programa CGI en el firmware del conmutador Zyxel GS1900-48 versión V2.80(AAHN.1)C0 y anteriores podría permitir que un atacante autenticado basado en LAN con privilegios de administrador ejecute algunos comandos del sistema operativo (OS) en un dispositivo afectado mediante el envío de una solicitud HTTP manipulada.

12 Nov 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-12 02:15

Updated : 2024-11-14 13:51


NVD link : CVE-2024-8881

Mitre link : CVE-2024-8881

CVE.ORG link : CVE-2024-8881


JSON object : View

Products Affected

zyxel

  • gs1900-16
  • gs1900-16_firmware
  • gs1900-24
  • gs1900-48_firmware
  • gs1900-48
  • gs1900-24hpv2_firmware
  • gs1900-8_firmware
  • gs1900-24e_firmware
  • gs1900-48hpv2_firmware
  • gs1900-24_firmware
  • gs1900-8
  • gs1900-8hp
  • gs1900-10hp
  • gs1900-8hp_firmware
  • gs1900-24e
  • gs1900-48hpv2
  • gs1900-24ep_firmware
  • gs1900-24hpv2
  • gs1900-24ep
  • gs1900-10hp_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')