Details of VAR-202308-3583

ID

VAR-202308-3583

CVE

CVE-2023-40798

TITLE

Shenzhen Tenda Technology Co.,Ltd. of ac23 Firmware Input Validation Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-022880

DESCRIPTION

In Tenda AC23 v16.03.07.45_cn, the formSetIPv6status and formGetWanParameter functions do not authenticate user input parameters, resulting in a post-authentication stack overflow vulnerability. Shenzhen Tenda Technology Co.,Ltd. of ac23 There is an input validation vulnerability in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-40798 // JVNDB: JVNDB-2023-022880 // VULMON: CVE-2023-40798

AFFECTED PRODUCTS

vendor:	tenda	model:	ac23	scope:	eq	version:	16.03.07.45_cn	Trust: 1.0
vendor:	tenda	model:	ac23	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	ac23	scope:	eq	version:	ac23 firmware 16.03.07.45 cn	Trust: 0.8
vendor:	tenda	model:	ac23	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-022880 // NVD: CVE-2023-40798

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-40798
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-40798
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2023-40798
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-40798
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-022880 // NVD: CVE-2023-40798

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	Inappropriate input confirmation (CWE-20) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-022880 // NVD: CVE-2023-40798

EXTERNAL IDS

db:	NVD	id:	CVE-2023-40798	Trust: 2.7
db:	JVNDB	id:	JVNDB-2023-022880	Trust: 0.8
db:	VULMON	id:	CVE-2023-40798	Trust: 0.1

sources: VULMON: CVE-2023-40798 // JVNDB: JVNDB-2023-022880 // NVD: CVE-2023-40798

REFERENCES

url:	https://github.com/lst-oss/vulnerability/tree/main/tenda/ac23/formsetipv6status-formgetwanparameter	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2023-40798	Trust: 0.8
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-40798 // JVNDB: JVNDB-2023-022880 // NVD: CVE-2023-40798

SOURCES

db:	VULMON	id:	CVE-2023-40798
db:	JVNDB	id:	JVNDB-2023-022880
db:	NVD	id:	CVE-2023-40798

LAST UPDATE DATE

2024-08-14T15:26:26.478000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-40798	date:	2023-08-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-022880	date:	2024-01-24T07:19:00
db:	NVD	id:	CVE-2023-40798	date:	2023-08-29T16:10:53.747

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-40798	date:	2023-08-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-022880	date:	2024-01-24T00:00:00
db:	NVD	id:	CVE-2023-40798	date:	2023-08-25T16:15:08.510