Vulnerability CVE-2023-26213


Published: 2023-03-03

Description:
On Barracuda CloudGen WAN Private Edge Gateway devices before 8 webui-sdwan-1089-8.3.1-174141891, an OS command injection vulnerability exists in /ajax/update_certificate - a crafted HTTP request allows an authenticated attacker to execute arbitrary commands. For example, a name field can contain :password and a password field can contain shell metacharacters.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Barracuda CloudGen WAN OS Command Injection
Stefan Viehbock
06.03.2023

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

 References:
http://seclists.org/fulldisclosure/2023/Mar/2
https://sec-consult.com/vulnerability-lab/advisory/os-command-injection-in-barracuda-cloudgen-wan/
https://campus.barracuda.com/product/cloudgenwan/doc/96024723/release-notes-8-3-1/
https://www.barracuda.com/products/network-security/cloudgen-wan

Copyright 2024, cxsecurity.com

 

Back to Top