Sign-up

ID

VAR-202307-1177


CVE

CVE-2023-38095


TITLE

of netgear  ProSAFE Network Management System  Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028060

DESCRIPTION

NETGEAR ProSAFE Network Management System MFileUploadController Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19717. of netgear ProSAFE Network Management System Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.79

sources: NVD: CVE-2023-38095 // JVNDB: JVNDB-2023-028060 // ZDI: ZDI-23-921 // CNVD: CNVD-2024-33897

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-33897

AFFECTED PRODUCTS

vendor:netgearmodel:prosafe network management systemscope:ltversion:1.7.0.20

Trust: 1.0

vendor:ネットギアmodel:prosafe network management systemscope:eqversion: -

Trust: 0.8

vendor:ネットギアmodel:prosafe network management systemscope: - version: -

Trust: 0.8

vendor:ネットギアmodel:prosafe network management systemscope:eqversion:1.7.0.20

Trust: 0.8

vendor:netgearmodel:prosafe network management systemscope: - version: -

Trust: 0.7

vendor:netgearmodel:prosafescope: - version: -

Trust: 0.6

sources: ZDI: ZDI-23-921 // CNVD: CNVD-2024-33897 // JVNDB: JVNDB-2023-028060 // NVD: CVE-2023-38095

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2023-38095
value: HIGH

Trust: 1.0

nvd@nist.gov: CVE-2023-38095
value: HIGH

Trust: 1.0

NVD: CVE-2023-38095
value: HIGH

Trust: 0.8

ZDI: CVE-2023-38095
value: HIGH

Trust: 0.7

CNVD: CNVD-2024-33897
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-33897
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

zdi-disclosures@trendmicro.com: CVE-2023-38095
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2023-38095
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ZDI: CVE-2023-38095
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-23-921 // CNVD: CNVD-2024-33897 // JVNDB: JVNDB-2023-028060 // NVD: CVE-2023-38095 // NVD: CVE-2023-38095

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.0

problemtype:Unlimited uploads of dangerous types of files (CWE-434) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-028060 // NVD: CVE-2023-38095

PATCH

title:NETGEAR has issued an update to correct this vulnerability.url:https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025

Trust: 0.7

title:Patch for NETGEAR ProSAFE arbitrary file upload vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/574006

Trust: 0.6

sources: ZDI: ZDI-23-921 // CNVD: CNVD-2024-33897

EXTERNAL IDS

db:NVDid:CVE-2023-38095

Trust: 3.9

db:ZDIid:ZDI-23-921

Trust: 2.5

db:JVNDBid:JVNDB-2023-028060

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-19717

Trust: 0.7

db:CNVDid:CNVD-2024-33897

Trust: 0.6

sources: ZDI: ZDI-23-921 // CNVD: CNVD-2024-33897 // JVNDB: JVNDB-2023-028060 // NVD: CVE-2023-38095

REFERENCES

url:https://kb.netgear.com/000065707/security-advisory-for-multiple-vulnerabilities-on-the-prosafe-network-management-system-psv-2023-0024-psv-2023-0025

Trust: 2.5

url:https://www.zerodayinitiative.com/advisories/zdi-23-921/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-38095

Trust: 0.8

url:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-38095

Trust: 0.6

sources: ZDI: ZDI-23-921 // CNVD: CNVD-2024-33897 // JVNDB: JVNDB-2023-028060 // NVD: CVE-2023-38095

CREDITS

Steven Seeley of Source Incite

Trust: 0.7

sources: ZDI: ZDI-23-921

SOURCES

db:ZDIid:ZDI-23-921
db:CNVDid:CNVD-2024-33897
db:JVNDBid:JVNDB-2023-028060
db:NVDid:CVE-2023-38095

LAST UPDATE DATE

2025-02-08T23:22:45.873000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-23-921date:2023-07-13T00:00:00
db:CNVDid:CNVD-2024-33897date:2024-07-30T00:00:00
db:JVNDBid:JVNDB-2023-028060date:2025-02-07T01:28:00
db:NVDid:CVE-2023-38095date:2025-02-06T18:01:51.207

SOURCES RELEASE DATE

db:ZDIid:ZDI-23-921date:2023-07-13T00:00:00
db:CNVDid:CNVD-2024-33897date:2024-07-25T00:00:00
db:JVNDBid:JVNDB-2023-028060date:2025-02-07T00:00:00
db:NVDid:CVE-2023-38095date:2024-05-03T02:15:51.897