CVE-2020-24355

Published: Sep 2, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges. This is done by changing "FirstIndex" field in JSON that is POST-ed during account creation. Similar may also be possible with account deletion.

Affected (1)

Products: Zyxel: Vmg5313 B30b Firmware

1 product

Vmg5313 B30b Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Vmg5313 B30b Firmware	Up to 5.13\(abcj.6\)b3_1127

Running on/with	Platform Versions
Zyxel Vmg5313 B30b	All versions

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (6)

https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B

Source: cve@mitre.org

ExploitThird Party Advisory

https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B_part2

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.zyxel.com/support/security_advisories.shtml

Source: cve@mitre.org

Vendor Advisory

https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B_part2

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.zyxel.com/support/security_advisories.shtml

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.