Description
OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CGI program.
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- BUFFALO INC. / WEX-1800AX4firmware Ver. 1.13 and earlier – firmware Ver. 1.13 and earlier
- BUFFALO INC. / WEX-1800AX4EAfirmware Ver. 1.13 and earlier – firmware Ver. 1.13 and earlier
- BUFFALO INC. / WSR-2533DHP2firmware Ver. 1.22 and earlier – firmware Ver. 1.22 and earlier
- BUFFALO INC. / WSR-2533DHP3firmware Ver. 1.26 and earlier – firmware Ver. 1.26 and earlier
- BUFFALO INC. / WSR-2533DHPL2firmware Ver. 1.03 and earlier – firmware Ver. 1.03 and earlier
- BUFFALO INC. / WSR-2533DHPLBfirmware Ver. 1.05 – firmware Ver. 1.05
- BUFFALO INC. / WSR-2533DHPLSfirmware Ver. 1.07 and earlier – firmware Ver. 1.07 and earlier
- BUFFALO INC. / WSR-3200AX4Bfirmware Ver. 1.25 – firmware Ver. 1.25
- BUFFALO INC. / WSR-3200AX4Sfirmware Ver. 1.26 and earlier – firmware Ver. 1.26 and earlier
- BUFFALO INC. / WSR-A2533DHP2firmware Ver. 1.22 and earlier – firmware Ver. 1.22 and earlier
- BUFFALO INC. / WSR-A2533DHP3firmware Ver. 1.26 and earlier – firmware Ver. 1.26 and earlier
- BUFFALO INC. / WXR-5700AX7Bfirmware Ver. 1.27 and earlier – firmware Ver. 1.27 and earlier
- BUFFALO INC. / WXR-5700AX7Sfirmware Ver. 1.27 and earlier – firmware Ver. 1.27 and earlier