CVE-2023-4474

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*

History

06 Dec 2023, 02:15

Type Values Removed Values Added
References
  • () https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/¬†-

05 Dec 2023, 18:28

Type Values Removed Values Added
First Time Zyxel nas326 Firmware
Zyxel nas542 Firmware
Zyxel
Zyxel nas326
Zyxel nas542
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products - Patch, Vendor Advisory
CPE cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*

30 Nov 2023, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-30 02:15

Updated : 2023-12-10 15:26


NVD link : CVE-2023-4474

Mitre link : CVE-2023-4474

CVE.ORG link : CVE-2023-4474


JSON object : View

Products Affected

zyxel

  • nas326
  • nas542_firmware
  • nas326_firmware
  • nas542
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')