Command injection

An OS command injection vulnerability exists in the admin.cgi USSDsend functionality of peplink Surf SOHO HW1 v6.3.5 in QEMU. A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability...

CVE-2023-27380

CVE-2023-27380 affects Peplink Surf SOHO HW1, specifically the admin.cgi USSD_send endpoint. A crafted authenticated HTTP POST to the GSM/USSD_send path can reach the vulnerable code and, due to an unchecked ussd_code parameter, construct and execute an OS command via root privileges (mdstatus an...

CVE-2023-27380

An OS command injection vulnerability exists in the admin.cgi USSDsend functionality of peplink Surf SOHO HW1 v6.3.5 in QEMU. A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability...

peplink Surf SOHO HW1 admin.cgi USSD_send OS command injection vulnerability

Talos Vulnerability Report TALOS-2023-1780 peplink Surf SOHO HW1 admin.cgi USSDsend OS command injection vulnerability October 11, 2023 CVE Number CVE-2023-27380 SUMMARY An OS command injection vulnerability exists in the admin.cgi USSDsend functionality of peplink Surf SOHO HW1 v6.3.5 in QEMU. A...