Lucene search
CERT-PLCVELIST:CVE-2023-49254HistoryJan 12, 2024 - 2:23 p.m.
CVE-2023-49254 Command injection in the network test tools
2024-01-1214:23:41
CWE-78
CERT-PL
www.cve.org
command injection
network test tools
authenticated user
arbitrary commands
root user
destination field
vulnerability
mitigated
blacklisting characters
javascript
post requests.
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the “destination” field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "H8951-4G-ESP",
"vendor": "Hongdian",
"versions": [
{
"lessThan": "2310271149",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
]Related
cve
cve
CVE-2023-49254
2024-01-12 15:15:09
CVE-2021-28151
2021-05-06 16:15:07
prion
prion
Design/Logic Flaw
2024-01-12 15:15:00
Command injection
2021-05-06 16:15:00
nvd
nvd
CVE-2023-49254
2024-01-12 15:15:09
CVE-2021-28151
2021-05-06 16:15:07
nuclei
nuclei
Hongdian H8922 3.0.5 - Remote Command Injection
2021-07-10 12:16:35
cvelist
cvelist
CVE-2021-28151
2021-05-06 15:11:50
checkpoint_advisories
checkpoint_advisories
Hongdian H8922 Command Injection (CVE-2021-28151; CVE-2021-28149)
2021-05-27 00:00:00