CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-37927
https://notcve.org/view.php?id=CVE-2023-37927
The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. La neutralización inadecuada de elementos especiales en el programa CGI del firmware Zyxel NAS326 versión V5.21(AAZF.14)C0 y NAS542 versión V5.21(ABAG.11)C0 podría permitir que un atacante autenticado ejecute algún sistema operativo (OS ) comandos enviando una URL manipulada a un dispositivo vulnerable. • https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35138
https://notcve.org/view.php?id=CVE-2023-35138
A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. Una vulnerabilidad de inyección de comando en la función “show_zysync_server_contents” de la versión de firmware V5.21(AAZF.14)C0 de Zyxel NAS326 y la versión de firmware NAS542 V5.21(ABAG.11)C0 podría permitir que un atacante no autenticado ejecute algún comando sistema operativo (OS) enviando una solicitud HTTP POST manipulada. • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35137
https://notcve.org/view.php?id=CVE-2023-35137
An improper authentication vulnerability in the authentication module of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device. Una vulnerabilidad de autenticación incorrecta en el módulo de autenticación de la versión de firmware V5.21(AAZF.14)C0 de Zyxel NAS326 y la versión de firmware NAS542 V5.21(ABAG.11)C0 podría permitir que un atacante no autenticado obtenga información del sistema enviando una URL manipulada a un dispositivo vulnerable. • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 3%CPEs: 6EXPL: 0CVE-2023-27992 – Zyxel Multiple NAS Devices Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-27992
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request. • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2023-27988
https://notcve.org/view.php?id=CVE-2023-27988
The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely. • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •