CVE-2021-26724

Published: Feb 22, 2021Modified: Nov 21, 2024

8.6

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: prodsec@nozominetworks.com (Secondary)

Description

OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions.

Affected (4)

Products: Nozominetworks: Central Management Control, Guardian

Nozominetworks

2 products

Central Management Control

Guardian

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Nozominetworks Central Management Control	From 19.0.0 to 19.0.12
Nozominetworks Central Management Control	From 20.0.0.0 to 20.0.7.4
Nozominetworks Guardian	From 19.0.0 to 19.0.12
Nozominetworks Guardian	From 20.0.0.0 to 20.0.7.4

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://security.nozominetworks.com/NN-2021:1-01

Source: prodsec@nozominetworks.com

Vendor Advisory

https://security.nozominetworks.com/NN-2021:1-01

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.