CVE-2024-29976

Published: Jun 4, 2024Modified: Jan 22, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security@zyxel.com.tw (Secondary)

Description

** UNSUPPORTED WHEN ASSIGNED ** The improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

Affected (2)

Products: Zyxel: Nas326 Firmware, Nas542 Firmware

2 products

Nas326 Firmware

Nas542 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Nas326 Firmware	Before 5.21\(aazf.17\)c0

Running on/with	Platform Versions
Zyxel Nas326	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Nas542 Firmware	Before 5.21\(abag.14\)c0

Running on/with	Platform Versions
Zyxel Nas542	All versions

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/

Source: security@zyxel.com.tw

ExploitThird Party Advisory

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

Source: security@zyxel.com.tw

Vendor Advisory

https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.