Lucene search

[email protected]NVD:CVE-2023-47254

HistoryDec 09, 2023 - 8:15 a.m.

CVE-2023-47254

2023-12-0908:15:06

CWE-78

[email protected]

web.nvd.nist.gov

os command injection

cli interface

draytek vigor167

remote attackers

arbitrary system commands

privilege escalation

web interface

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

55.8%

JSON

An OS Command Injection in the CLI interface on DrayTek Vigor167 version 5.2.2, allows remote attackers to execute arbitrary system commands and escalate privileges via any account created within the web interface.

Affected configurations

Nvd

Node

draytekvigor167Match-

AND

draytekvigor167_firmwareMatch5.2.2

VendorProductVersionCPE
draytekvigor167-cpe:2.3:h:draytek:vigor167:-:*:*:*:*:*:*:*
draytekvigor167_firmware5.2.2cpe:2.3:o:draytek:vigor167_firmware:5.2.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
draytek	vigor167	-	cpe:2.3:h:draytek:vigor167:-:::::::*
draytek	vigor167_firmware	5.2.2	cpe:2.3:o:draytek:vigor167_firmware:5.2.2:::::::*

References

www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt

www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigor167-syss-2023-023

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

55.8%

JSON

Related for NVD:CVE-2023-47254

cve1 prion1 cvelist1