CVE-2023-47422 — Improper Access Control in Ax12 Firmware

CWE-284 — Improper Access Control3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 96.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tenda Ax12 Firmware Tenda AX3 Firmware Tenda AX9 Firmware +1 more

Timeline

PublishedFeb 20

Latest updateFeb 21

Description

An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.54, Tenda AX3 V3 V16.03.12.11, Tenda AX9 V1 V22.03.01.46, and Tenda AX12 V1 V22.03.01.46 allows attackers to bypass authentication on any endpoint via a crafted URL.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDtenda/ax12_firmware22.03.01.46

▶NVDtenda/ax3_firmware16.03.12.11

▶NVDtenda/ax9_firmware22.03.01.46

▶NVDtenda/tx9_firmware22.03.02.54

🔴Vulnerability Details

GHSA

GHSA-5hxp-xf5x-xjxf: An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22↗2024-02-21

▶

CVEList

CVE-2023-47422: An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22↗2024-02-20

▶