ID

VAR-202303-1193


CVE

CVE-2023-24229


TITLE

DrayTek Corporation  of  Vigor2960  Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-005276

DESCRIPTION

DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. DrayTek Corporation of Vigor2960 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2023-24229 // JVNDB: JVNDB-2023-005276

AFFECTED PRODUCTS

vendor:draytekmodel:vigor2960scope:eqversion:1.5.1.4

Trust: 1.0

vendor:draytekmodel:vigor2960scope: - version: -

Trust: 0.8

vendor:draytekmodel:vigor2960scope:eqversion:vigor2960 firmware 1.5.1.4

Trust: 0.8

vendor:draytekmodel:vigor2960scope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-005276 // NVD: CVE-2023-24229

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2023-24229
value: HIGH

Trust: 1.8

CNNVD: CNNVD-202303-1259
value: HIGH

Trust: 0.6

NVD:
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-24229
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-005276 // CNNVD: CNNVD-202303-1259 // NVD: CVE-2023-24229

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:Command injection (CWE-77) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-005276 // NVD: CVE-2023-24229

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202303-1259

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202303-1259

CONFIGURATIONS

sources: NVD: CVE-2023-24229

EXTERNAL IDS

db:NVDid:CVE-2023-24229

Trust: 3.2

db:JVNDBid:JVNDB-2023-005276

Trust: 0.8

db:CNNVDid:CNNVD-202303-1259

Trust: 0.6

sources: JVNDB: JVNDB-2023-005276 // CNNVD: CNNVD-202303-1259 // NVD: CVE-2023-24229

REFERENCES

url:https://www.draytek.com/

Trust: 2.4

url:https://github.com/sadwwcxz/vul

Trust: 1.6

url:https://web.archive.org/web/20230315181013/https://github.com/sadwwcxz/vul

Trust: 1.0

url:https://www.draytek.co.uk/support/guides/kb-remotemanagement

Trust: 1.0

url:https://www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2960

Trust: 1.0

url:https://www.draytek.com/support/knowledge-base/5465

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2023-24229

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-24229/

Trust: 0.6

sources: JVNDB: JVNDB-2023-005276 // CNNVD: CNNVD-202303-1259 // NVD: CVE-2023-24229

SOURCES

db:JVNDBid:JVNDB-2023-005276
db:CNNVDid:CNNVD-202303-1259
db:NVDid:CVE-2023-24229

LAST UPDATE DATE

2024-03-21T22:50:30.352000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2023-005276date:2023-11-07T06:03:00
db:CNNVDid:CNNVD-202303-1259date:2023-03-21T00:00:00
db:NVDid:CVE-2023-24229date:2024-03-21T02:46:19.200

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2023-005276date:2023-11-07T00:00:00
db:CNNVDid:CNNVD-202303-1259date:2023-03-15T00:00:00
db:NVDid:CVE-2023-24229date:2023-03-15T18:15:10.460