CVE-2023-35138

A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*

History

05 Dec 2023, 18:30

Type Values Removed Values Added
CPE cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*
First Time Zyxel nas326 Firmware
Zyxel nas542 Firmware
Zyxel
Zyxel nas326
Zyxel nas542
CWE CWE-78
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - Patch, Vendor Advisory

30 Nov 2023, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-30 02:15

Updated : 2023-12-10 15:26


NVD link : CVE-2023-35138

Mitre link : CVE-2023-35138

CVE.ORG link : CVE-2023-35138


JSON object : View

Products Affected

zyxel

  • nas326
  • nas542_firmware
  • nas326_firmware
  • nas542
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')