← Back

CVE-2023-46306

nvd nist
Published: Oct 22, 2023Modified: Nov 21, 2024

JSON object

Loading...
6.6
Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 0.7 / Impact: 5.9
Source: NVD

Description

The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105.

Affected (2)

Netmodule
1 product
Netmodule Router Software
Configuration A
2 vulnerable · 8 platform
Vulnerable SoftwareAffected Versions
Netmodule
Netmodule Router Software
Before 4.6.0.105
Netmodule Router Software
From 4.7.0.0 to 4.7.0.103
Running on/withPlatform Versions
Netmodule
Nb1601
All versions
Netmodule
Nb1800
All versions
Netmodule
Nb1810
All versions
Netmodule
Nb2800
All versions
Netmodule
Nb2810
All versions
Netmodule
Nb3701
All versions
Netmodule
Nb3800
All versions
Netmodule
Ng800
All versions

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (6)

Source: cve@mitre.org
ProductThird Party Advisory
Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
ProductThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes

Timeline

No history available yet.