Lucene search

[email protected]NVD:CVE-2023-49254

HistoryJan 12, 2024 - 3:15 p.m.

CVE-2023-49254

2024-01-1215:15:09

CWE-78

[email protected]

web.nvd.nist.gov

authenticated user

root user context

network test tools

vulnerability

mitigated

javascript

blacklisting

exploited

post requests

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.964 High

EPSS

Percentile

99.6%

JSON

Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the “destination” field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.

Affected configurations

NVD

Node

hongdianh8951-4g-esp_firmwareRange<2310271149

AND

hongdianh8951-4g-espMatch-

References

cert.pl/en/posts/2024/01/CVE-2023-49253/

cert.pl/posts/2024/01/CVE-2023-49253/

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.964 High

EPSS

Percentile

99.6%

JSON

Related for NVD:CVE-2023-49254

cve2 prion2 cvelist2 nuclei1 nvd1 checkpoint_advisories1