Details of VAR-202009-0964

ID

VAR-202009-0964

CVE

CVE-2020-24355

TITLE

Zyxel VMG5313-B30B privilege escalation vulnerability

Trust: 0.6

sources: CNVD: CNVD-2020-51809

DESCRIPTION

Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges. This is done by changing "FirstIndex" field in JSON that is POST-ed during account creation. Similar may also be possible with account deletion. Zyxel VMG5313-B30B is a router device. Zyxel VMG5313-B30B privilege escalation vulnerability, a remote attacker can use this vulnerability to submit special requests, create high-privileged users, and elevate privileges

Trust: 1.44

sources: NVD: CVE-2020-24355 // CNVD: CNVD-2020-51809

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-51809

AFFECTED PRODUCTS

vendor:	zyxel	model:	vmg5313-b30b	scope:	lte	version:	5.13\(abcj.6\)b3_1127	Trust: 1.0
vendor:	zyxel	model:	vmg5313-b30b	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-51809 // NVD: CVE-2020-24355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24355
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2020-51809
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202009-078
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-24355
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2020-51809
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-24355
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2020-51809 // CNNVD: CNNVD-202009-078 // NVD: CVE-2020-24355

PROBLEMTYPE DATA

problemtype:

CWE-732

Trust: 1.0

sources: NVD: CVE-2020-24355

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-078

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-078

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24355	Trust: 2.2
db:	CNVD	id:	CNVD-2020-51809	Trust: 0.6
db:	CNNVD	id:	CNNVD-202009-078	Trust: 0.6

sources: CNVD: CNVD-2020-51809 // CNNVD: CNNVD-202009-078 // NVD: CVE-2020-24355

REFERENCES

url:	https://blog.somegeneric.ninja/zyxel_vmg5153_b30b	Trust: 1.6
url:	https://blog.somegeneric.ninja/zyxel_vmg5153_b30b_part2	Trust: 1.6
url:	https://www.zyxel.com/support/security_advisories.shtml	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24355	Trust: 1.2

sources: CNVD: CNVD-2020-51809 // CNNVD: CNNVD-202009-078 // NVD: CVE-2020-24355

SOURCES

db:	CNVD	id:	CNVD-2020-51809
db:	CNNVD	id:	CNNVD-202009-078
db:	NVD	id:	CVE-2020-24355

LAST UPDATE DATE

2024-11-23T22:37:14.931000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-51809	date:	2020-09-14T00:00:00
db:	CNNVD	id:	CNNVD-202009-078	date:	2021-01-05T00:00:00
db:	NVD	id:	CVE-2020-24355	date:	2024-11-21T05:14:39.337

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-51809	date:	2020-09-14T00:00:00
db:	CNNVD	id:	CNNVD-202009-078	date:	2020-09-02T00:00:00
db:	NVD	id:	CVE-2020-24355	date:	2020-09-02T12:15:10.550