CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
28.0%
An authentication bypass vulnerability exists in the N300 Wireless N VDSL2 Modem Router manufactured by Tenda. This vulnerability allows a remote, unauthenticated user to access sensitive information.
CVE-2023-4498 is an authentication bypass vulnerability that enables an unauthenticated attacker who has access to the web console, either locally or remotely, to access resources that would normally be protected. The attacker can construct a web request that includes a white-listed keyword in the path, causing the URL to be served directly (rather than blocked or challenged with an authentication prompt).
Successful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication. An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.
There is no known solution to the vulnerability. Always update your router to the latest available firmware version. Disabling both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router is also recommended.
Thanks to the reporter from the Spike Reply Cybersecurity Team. This document was written by Timur Snoke.
304455
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2023-08-01 Updated: 2023-09-06 CVE-2023-4498 | Unknown |
---|
We have not received a statement from the vendor.
The vendor has been unresponsive and has not addressed this issue as far as we know.
CVE IDs: | CVE-2023-4498 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2023-09-06 Date First Published: |