CVE-2023-5372

CWE-78OS Command Injection3 documents3 sources
Severity
7.2HIGH
EPSS
10.1%
top 6.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Zyxel Nas326 FirmwareZyxel Nas542 Firmware
Timeline
PublishedJan 30

Description

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

NVDzyxel/nas326_firmware< 5.21\(aazf.16\)c0
NVDzyxel/nas542_firmware< 5.21\(abag.13\)c0
CVEListV5zyxel/nas326_firmwareV5.21(AAZF.15)C0
CVEListV5zyxel/nas542_firmwareV5.21(ABAG.12)C0

🔴Vulnerability Details

2
GHSA
GHSA-hgw6-wf28-c5x3: The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V52024-01-30
CVEList
CVE-2023-5372: The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V52024-01-30
CVE-2023-5372 (HIGH CVSS 7.2) | The post-authentication command inj | cvebase.io