CVE-2023-26319 - Vulnerability Details - OpenCVE

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00716.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mi	Xiaomi Router Ax3200 Xiaomi Router Ax3200 Firmware
Xiaomi	Xiaomi Router

Configuration 1 [-]

AND

cpe:2.3:o:mi:xiaomi_router_ax3200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mi:xiaomi_router_ax3200:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-30140	Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://trust.mi.com/misrc/bulletins/advisory?cveId=536

History

Tue, 08 Oct 2024 10:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-78

Tue, 08 Oct 2024 09:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-78

Tue, 08 Oct 2024 09:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-78	CWE-120

Tue, 08 Oct 2024 09:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-78

Thu, 19 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xiaomi Xiaomi xiaomi Router
CPEs		cpe:2.3:a:xiaomi:xiaomi_router::::::::
Vendors & Products		Xiaomi Xiaomi xiaomi Router
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Xiaomi

Published: 2023-10-11T06:45:07.195Z

Updated: 2024-10-08T09:15:37.726Z

Reserved: 2023-02-22T16:59:28.183Z

Link: CVE-2023-26319

Vulnrichment

Updated: 2024-08-02T11:46:24.071Z

NVD

Status : Modified

Published: 2023-10-11T07:15:10.103

Modified: 2024-11-21T07:51:07.050

Link: CVE-2023-26319

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26319", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "state": "PUBLISHED", "assignerShortName": "Xiaomi", "dateReserved": "2023-02-22T16:59:28.183Z", "datePublished": "2023-10-11T06:45:07.195Z", "dateUpdated": "2024-10-08T09:15:37.726Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Xiaomi Router", "vendor": "Xiaomi", "versions": [{"lessThan": "fw version before 2023.2", "status": "affected", "version": "0", "versionType": "2023.2"}]}], "datePublic": "2023-08-01T02:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection."}], "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2024-10-08T09:15:37.726Z"}, "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=536"}], "source": {"discovery": "UNKNOWN"}, "title": "Xiaomi Router administration interface vulnerability leads command injection and stack overflow", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:24.071Z"}, "title": "CVE Program Container", "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=536", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "xiaomi", "product": "xiaomi_router", "cpes": ["cpe:2.3:a:xiaomi:xiaomi_router:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "2023.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T14:15:04.102560Z", "id": "CVE-2023-26319", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:15:55.358Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=536", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:24.071Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26319", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-19T14:15:04.102560Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:xiaomi:xiaomi_router:*:*:*:*:*:*:*:*"], "vendor": "xiaomi", "product": "xiaomi_router", "versions": [{"status": "affected", "version": "0", "lessThan": "2023.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:15:49.970Z"}}], "cna": {"title": "Xiaomi Router administration interface vulnerability leads command injection and stack overflow", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Xiaomi", "product": "Xiaomi Router", "versions": [{"status": "affected", "version": "0", "lessThan": "fw version before 2023.2", "versionType": "2023.2"}], "defaultStatus": "unaffected"}], "datePublic": "2023-08-01T02:00:00.000Z", "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=536"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2024-10-08T09:15:37.726Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26319", "state": "PUBLISHED", "dateUpdated": "2024-10-08T09:15:37.726Z", "dateReserved": "2023-02-22T16:59:28.183Z", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "datePublished": "2023-10-11T06:45:07.195Z", "assignerShortName": "Xiaomi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mi:xiaomi_router_ax3200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B83DBDCF-18F3-4653-AFFB-1674EFB12520", "versionEndExcluding": "2023.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mi:xiaomi_router_ax3200:-:*:*:*:*:*:*:*", "matchCriteriaId": "2E84167F-E0B9-465F-ACD8-2202FDA73949", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection."}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de los elementos especiales utilizados en una vulnerabilidad de comando (\"Inyecci\u00f3n de comando\") en Xiaomi Router permite la inyecci\u00f3n de comando."}], "id": "CVE-2023-26319", "lastModified": "2024-11-21T07:51:07.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "security@xiaomi.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-11T07:15:10.103", "references": [{"source": "security@xiaomi.com", "tags": ["Vendor Advisory"], "url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=536"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=536"}], "sourceIdentifier": "security@xiaomi.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "security@xiaomi.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}