CVE-2023-49694 — Improper Access Control in Netgear Prosafe Network Management System

CWE-284 — Improper Access Control3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 74.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgear Prosafe Network Management System Netgear Prosafe Network Management System

Timeline

PublishedNov 29

Latest updateNov 30

Description

A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDnetgear/prosafe_network_management_system< 1.7.0.31

▶CVEListV5netgear/netgear_prosafe_network_management_system< 1.7.0.34

🔴Vulnerability Details

GHSA

GHSA-r6ch-gxw2-7ffc: A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in↗2023-11-30

▶

CVEList

NETGEAR ProSAFE Network Management System Privilege Escalation Via MySQL Server↗2023-11-29

▶