← Back

CVE-2024-42059

nvd nist
Published: Sep 3, 2024Modified: Dec 13, 2024

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: security@zyxel.com.tw (Secondary)

Description

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V5.00 through V5.38, USG FLEX series firmware versions from V5.00 through V5.38, USG FLEX 50(W) series firmware versions from V5.00 through V5.38, and USG20(W)-VPN series firmware versions from V5.00 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.

Affected (1)

Products: Zyxel: Zld
Zyxel
1 product
Zld
Configuration A
6 platform
Running on/withPlatform Versions
Zyxel
Atp100
All versions
Zyxel
Atp100w
All versions
Zyxel
Atp200
All versions
Zyxel
Atp500
All versions
Zyxel
Atp700
All versions
Zyxel
Atp800
All versions
Configuration B
8 platform
Running on/withPlatform Versions
Zyxel
Usg Flex 100
All versions
Zyxel
Usg Flex 100ax
All versions
Zyxel
Usg Flex 100w
All versions
Zyxel
Usg Flex 200
All versions
Zyxel
Usg Flex 50
All versions
Zyxel
Usg Flex 500
All versions
Zyxel
Usg Flex 50w
All versions
Zyxel
Usg Flex 700
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Zld
From 5.00 to 5.39
Running on/withPlatform Versions
Zyxel
Usg 20w Vpn
All versions

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

Source: security@zyxel.com.tw
Vendor Advisory

Timeline

No history available yet.