CVE-2023-49226

Published: Dec 25, 2023Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root.

Affected (1)

Products: Peplink: Balance Two Firmware

Peplink

1 product

Balance Two Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Peplink Balance Two Firmware	Before 8.4.0

Running on/with	Platform Versions
Peplink Balance Two	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (4)

https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4

Source: cve@mitre.org

Third Party Advisory

https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.