Vulnerability Description
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hongdian | H8951-4G-Esp Firmware | < 2310271149 |
| Hongdian | H8951-4G-Esp | - |
Related Weaknesses (CWE)
References
- https://cert.pl/en/posts/2024/01/CVE-2023-49253/Third Party Advisory
- https://cert.pl/posts/2024/01/CVE-2023-49253/Third Party Advisory
- https://cert.pl/en/posts/2024/01/CVE-2023-49253/Third Party Advisory
- https://cert.pl/posts/2024/01/CVE-2023-49253/Third Party Advisory
FAQ
What is CVE-2023-49254?
CVE-2023-49254 is a vulnerability with a CVSS score of 8.8 (HIGH). Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-20...
How severe is CVE-2023-49254?
CVE-2023-49254 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49254?
Check the references section above for vendor advisories and patch information. Affected products include: Hongdian H8951-4G-Esp Firmware, Hongdian H8951-4G-Esp.