CVE-2023-37927

The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*

History

06 Dec 2023, 01:15

Type Values Removed Values Added
References
  • () https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices/¬†-

05 Dec 2023, 18:30

Type Values Removed Values Added
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - Patch, Vendor Advisory
CPE cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*
First Time Zyxel nas326 Firmware
Zyxel nas542 Firmware
Zyxel
Zyxel nas326
Zyxel nas542

30 Nov 2023, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-30 02:15

Updated : 2023-12-10 15:26


NVD link : CVE-2023-37927

Mitre link : CVE-2023-37927

CVE.ORG link : CVE-2023-37927


JSON object : View

Products Affected

zyxel

  • nas542_firmware
  • nas542
  • nas326_firmware
  • nas326
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')