Command Injection Vulnerability in DrayTek Vigor2960
CVE-2023-24229

7.8HIGH

Key Information:

Vendor: Draytek
Status: Vigor2960 Firmware
Vendor: CVE Published:; 15 March 2023

What is CVE-2023-24229?

The DrayTek Vigor2960, specifically version v1.5.1.4, is susceptible to a command injection vulnerability that allows authenticated attackers with network access to exploit the web management interface. Through the manipulation of the 'parameter' parameter in the mainfunction.cgi script, an attacker can inject operating system commands, potentially compromising the device's integrity. It's important to note that this vulnerability is limited to devices that have reached their end-of-life and are no longer supported by the vendor.

References

https://www.draytek.com/

https://github.com/sadwwcxz/Vul

https://web.archive.org/web/20230315181013/https://github...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 15, 2023
Vulnerability Reserved
Jan 23, 2023

Draytek

What is CVE-2023-24229?

References

CVSS V3.1

Timeline