CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6342
https://notcve.org/view.php?id=CVE-2024-6342
10 Sep 2024 — A command injection vulnerability in the export-cgi program of Zyxel NAS326 firmware versions through V5.21(AAZF.18)C0 and NAS542 firmware versions through V5.21(ABAG.15)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. **UNSUPPORTED WHEN ASSIGNED** A command injection vulnerability in the export-cgi program of Zyxel NAS326 firmware versions through V5.21(AAZF.18)C0 and NAS542 firmware versions through V5.21(ABAG.15)C0 could all... • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-nas-products-09-10-2024 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-29976
https://notcve.org/view.php?id=CVE-2024-29976
04 Jun 2024 — The improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device. La vulnerabilidad de administración de privilegios inadecuada en el comando “show_allsessions” en las versiones de firmware Zyxel NAS326 anteriores a V5.21(AAZF.17)C0 y versiones de... • https://github.com/Pommaq/CVE-2024-29972-CVE-2024-29976-CVE-2024-29973-CVE-2024-29975-CVE-2024-29974-poc • CWE-269: Improper Privilege Management •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 1CVE-2024-29975
https://notcve.org/view.php?id=CVE-2024-29975
04 Jun 2024 — The improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device. La vulnerabilidad de administración de privilegios inadecuada en el binario ejecutable SUID en las versiones de firmware Zyxel NAS326 anteriores a V5.21(AAZF.17)C0 y versione... • https://github.com/Pommaq/CVE-2024-29972-CVE-2024-29976-CVE-2024-29973-CVE-2024-29975-CVE-2024-29974-poc • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-29974
https://notcve.org/view.php?id=CVE-2024-29974
04 Jun 2024 — The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. La vulnerabilidad de ejecución remota de código en el programa CGI “file_upload-cgi” en las versiones de firmware Zyxel NAS326 anteriores a V5.21(AAZF.17)C0 y versiones de firmware NAS542 ante... • https://github.com/Pommaq/CVE-2024-29972-CVE-2024-29976-CVE-2024-29973-CVE-2024-29975-CVE-2024-29974-poc • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 7CVE-2024-29973
https://notcve.org/view.php?id=CVE-2024-29973
04 Jun 2024 — The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. La vulnerabilidad de inyección de comando en el parámetro “setCookie” en las versiones de firmware Zyxel NAS326 anteriores a V5.21(AAZF.17)C0 y en las versiones de firmware NAS542 anteriores a V5.21(ABAG.14)C0... • https://github.com/RevoltSecurities/CVE-2024-29973 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 3CVE-2024-29972
https://notcve.org/view.php?id=CVE-2024-29972
04 Jun 2024 — The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. La vulnerabilidad de inyección de comando en el programa CGI "remote_help-cgi" en las versiones de firmware Zyxel NAS326 anteriores a V5.21(AAZF.17)C0 y en las versiones de firmware NAS542 anteriores a... • https://github.com/codeb0ss/CVE-2024-29972-PoC • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5372
https://notcve.org/view.php?id=CVE-2023-5372
30 Jan 2024 — The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface. La vulnerabilidad de inyección de comando posterior a la autenticación en las versiones de firmware Zyxel NAS326 hasta V5... • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products-01-30-2024 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4474
https://notcve.org/view.php?id=CVE-2023-4474
30 Nov 2023 — The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. La neutralización inadecuada de elementos especiales en el servidor WSGI del firmware Zyxel NAS326 versión V5.21(AAZF.14)C0 y NAS542 versión V5.21(ABAG.11)C0 podría permitir que un atacante no autenticado ejecu... • https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4473
https://notcve.org/view.php?id=CVE-2023-4473
30 Nov 2023 — A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. Una vulnerabilidad de inyección de comandos en el servidor web de la versión de firmware V5.21(AAZF.14)C0 de Zyxel NAS326 y la versión de firmware NAS542 V5.21(ABAG.11)C0 podría permitir que un atacante no autenticado ejecute... • https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-37928
https://notcve.org/view.php?id=CVE-2023-37928
30 Nov 2023 — A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. Una vulnerabilidad de inyección de comando posterior a la autenticación en el servidor WSGI de la versión de firmware V5.21(AAZF.14)C0 de Zyxel NAS326 y la versión de firmware NAS542 V5.21(ABAG.11)C0 podría... • https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •