CVE-2023-26320 - OpenCVE

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mi	Xiaomi Router Ax3200 Xiaomi Router Ax3200 Firmware
Xiaomi	Xiaomi Router

Configuration 1 [-]

AND

cpe:2.3:o:mi:xiaomi_router_ax3200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mi:xiaomi_router_ax3200:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://trust.mi.com/misrc/bulletins/advisory?cveId=540

History

Thu, 19 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xiaomi Xiaomi xiaomi Router
CPEs		cpe:2.3:a:xiaomi:xiaomi_router::::::::
Vendors & Products		Xiaomi Xiaomi xiaomi Router
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Xiaomi

Published: 2023-10-11T06:49:50.375Z

Updated: 2024-09-19T13:21:20.751Z

Reserved: 2023-02-22T16:59:28.183Z

Link: CVE-2023-26320

Vulnrichment

Updated: 2024-08-02T11:46:24.543Z

NVD

Status : Analyzed

Published: 2023-10-11T07:15:10.257

Modified: 2023-10-16T19:04:10.920

Link: CVE-2023-26320

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26320", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "state": "PUBLISHED", "assignerShortName": "Xiaomi", "dateReserved": "2023-02-22T16:59:28.183Z", "datePublished": "2023-10-11T06:49:50.375Z", "dateUpdated": "2024-09-19T13:21:20.751Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Xiaomi Router", "vendor": "Xiaomi", "versions": [{"lessThan": "fw version before 2023.2", "status": "affected", "version": "0", "versionType": "2023.2"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection."}], "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection."}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2023-10-11T06:49:50.375Z"}, "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=540"}], "source": {"discovery": "UNKNOWN"}, "title": "Xiaomi Router external request interface vulnerability leads to stack overflow", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:24.543Z"}, "title": "CVE Program Container", "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=540", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "xiaomi", "product": "xiaomi_router", "cpes": ["cpe:2.3:a:xiaomi:xiaomi_router:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2023.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T13:15:31.854558Z", "id": "CVE-2023-26320", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:21:20.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=540", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:24.543Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-19T13:15:31.854558Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:xiaomi:xiaomi_router:*:*:*:*:*:*:*:*"], "vendor": "xiaomi", "product": "xiaomi_router", "versions": [{"status": "affected", "version": "0", "lessThan": "2023.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:21:10.378Z"}}], "cna": {"title": "Xiaomi Router external request interface vulnerability leads to stack overflow", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Xiaomi", "product": "Xiaomi Router", "versions": [{"status": "affected", "version": "0", "lessThan": "fw version before 2023.2", "versionType": "2023.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=540"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "shortName": "Xiaomi", "dateUpdated": "2023-10-11T06:49:50.375Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26320", "state": "PUBLISHED", "dateUpdated": "2024-09-19T13:21:20.751Z", "dateReserved": "2023-02-22T16:59:28.183Z", "assignerOrgId": "b57733aa-7326-4f07-8e09-0be8e0df1909", "datePublished": "2023-10-11T06:49:50.375Z", "assignerShortName": "Xiaomi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mi:xiaomi_router_ax3200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B83DBDCF-18F3-4653-AFFB-1674EFB12520", "versionEndExcluding": "2023.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mi:xiaomi_router_ax3200:-:*:*:*:*:*:*:*", "matchCriteriaId": "2E84167F-E0B9-465F-ACD8-2202FDA73949", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection."}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de los elementos especiales utilizados en una vulnerabilidad de comando (\"Inyecci\u00f3n de comando\") en Xiaomi Router permite la inyecci\u00f3n de comando."}], "id": "CVE-2023-26320", "lastModified": "2023-10-16T19:04:10.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@xiaomi.com", "type": "Secondary"}]}, "published": "2023-10-11T07:15:10.257", "references": [{"source": "security@xiaomi.com", "tags": ["Vendor Advisory"], "url": "https://trust.mi.com/misrc/bulletins/advisory?cveId=540"}], "sourceIdentifier": "security@xiaomi.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@xiaomi.com", "type": "Secondary"}]}