Sign-up

ID

VAR-202307-1283


CVE

CVE-2023-38098


TITLE

of netgear  ProSAFE Network Management System  Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028079

DESCRIPTION

NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19720. of netgear ProSAFE Network Management System Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.79

sources: NVD: CVE-2023-38098 // JVNDB: JVNDB-2023-028079 // ZDI: ZDI-23-918 // CNVD: CNVD-2024-33667

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-33667

AFFECTED PRODUCTS

vendor:netgearmodel:prosafe network management systemscope:ltversion:1.7.0.20

Trust: 1.0

vendor:ネットギアmodel:prosafe network management systemscope:eqversion: -

Trust: 0.8

vendor:ネットギアmodel:prosafe network management systemscope: - version: -

Trust: 0.8

vendor:ネットギアmodel:prosafe network management systemscope:eqversion:1.7.0.20

Trust: 0.8

vendor:netgearmodel:prosafe network management systemscope: - version: -

Trust: 0.7

vendor:netgearmodel:prosafescope: - version: -

Trust: 0.6

sources: ZDI: ZDI-23-918 // CNVD: CNVD-2024-33667 // JVNDB: JVNDB-2023-028079 // NVD: CVE-2023-38098

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2023-38098
value: HIGH

Trust: 1.0

nvd@nist.gov: CVE-2023-38098
value: HIGH

Trust: 1.0

NVD: CVE-2023-38098
value: HIGH

Trust: 0.8

ZDI: CVE-2023-38098
value: HIGH

Trust: 0.7

CNVD: CNVD-2024-33667
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-33667
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

zdi-disclosures@trendmicro.com: CVE-2023-38098
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2023-38098
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ZDI: CVE-2023-38098
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-23-918 // CNVD: CNVD-2024-33667 // JVNDB: JVNDB-2023-028079 // NVD: CVE-2023-38098 // NVD: CVE-2023-38098

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.0

problemtype:Unlimited uploads of dangerous types of files (CWE-434) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-028079 // NVD: CVE-2023-38098

PATCH

title:NETGEAR has issued an update to correct this vulnerability.url:https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025

Trust: 0.7

title:Patch for NETGEAR ProSAFE Arbitrary File Upload Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/574176

Trust: 0.6

sources: ZDI: ZDI-23-918 // CNVD: CNVD-2024-33667

EXTERNAL IDS

db:NVDid:CVE-2023-38098

Trust: 3.9

db:ZDIid:ZDI-23-918

Trust: 2.5

db:JVNDBid:JVNDB-2023-028079

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-19720

Trust: 0.7

db:CNVDid:CNVD-2024-33667

Trust: 0.6

sources: ZDI: ZDI-23-918 // CNVD: CNVD-2024-33667 // JVNDB: JVNDB-2023-028079 // NVD: CVE-2023-38098

REFERENCES

url:https://kb.netgear.com/000065707/security-advisory-for-multiple-vulnerabilities-on-the-prosafe-network-management-system-psv-2023-0024-psv-2023-0025

Trust: 2.5

url:https://www.zerodayinitiative.com/advisories/zdi-23-918/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-38098

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-38098

Trust: 0.6

sources: ZDI: ZDI-23-918 // CNVD: CNVD-2024-33667 // JVNDB: JVNDB-2023-028079 // NVD: CVE-2023-38098

CREDITS

Steven Seeley of Source Incite

Trust: 0.7

sources: ZDI: ZDI-23-918

SOURCES

db:ZDIid:ZDI-23-918
db:CNVDid:CNVD-2024-33667
db:JVNDBid:JVNDB-2023-028079
db:NVDid:CVE-2023-38098

LAST UPDATE DATE

2025-02-08T23:17:49.372000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-23-918date:2023-07-13T00:00:00
db:CNVDid:CNVD-2024-33667date:2024-07-26T00:00:00
db:JVNDBid:JVNDB-2023-028079date:2025-02-07T05:11:00
db:NVDid:CVE-2023-38098date:2025-02-06T18:01:42.617

SOURCES RELEASE DATE

db:ZDIid:ZDI-23-918date:2023-07-13T00:00:00
db:CNVDid:CNVD-2024-33667date:2024-07-25T00:00:00
db:JVNDBid:JVNDB-2023-028079date:2025-02-07T00:00:00
db:NVDid:CVE-2023-38098date:2024-05-03T02:15:52.453