HIGH🇵🇱 Wersja polska

CVE-2023-49254

CVSS 8.8v3.1pub. 2024-01-12upd. 2025-06-20

Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript, however, it can still be exploited by sending POST requests directly.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Hongdian H8951 4g Esp

    HW
    Hongdian
    wszystkie wersje
  • Hongdian H8951 4g Esp Firmware

    OS
    Hongdian
    < 2310271149
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2023-49253CRITICAL9.8PL ✓ten sam produkt

Hardkodowane hasło roota w urządzeniu Hongdian H8951-4G-Esp

CVE-2023-49255CRITICAL9.8PL ✓ten sam produkt

Hongdian H8951-4G-Esp — dostęp do konsoli routera bez uwierzytelnienia

CVE-2023-49262CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia przez przepełnienie pola Cookie w Hongdian H8951-4G-Esp

CVE-2023-49257HIGH8.8ten sam produkt

An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility ...

CVE-2023-49259HIGH7.5ten sam produkt

The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up...