Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for wg302v2_firmware by netgear

    CVE-2025-4135 (GCVE-0-2025-4135)

    Vulnerability from nvd – Published: 2025-04-30 17:31 – Updated: 2025-04-30 18:12
    VLAI
    Title
    Netgear WG302v2 ui_get_input_value command injection
    Summary
    A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Netgear WG302v2 Affected: 5.2.0
    Affected: 5.2.1
    Affected: 5.2.2
    Affected: 5.2.3
    Affected: 5.2.4
    Affected: 5.2.5
    Affected: 5.2.6
    Affected: 5.2.7
    Affected: 5.2.8
    Affected: 5.2.9
    Create a notification for this product.
    Credits
    54357 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4135",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T18:12:09.029886Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T18:12:17.638Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WG302v2",
              "vendor": "Netgear",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.2.0"
                },
                {
                  "status": "affected",
                  "version": "5.2.1"
                },
                {
                  "status": "affected",
                  "version": "5.2.2"
                },
                {
                  "status": "affected",
                  "version": "5.2.3"
                },
                {
                  "status": "affected",
                  "version": "5.2.4"
                },
                {
                  "status": "affected",
                  "version": "5.2.5"
                },
                {
                  "status": "affected",
                  "version": "5.2.6"
                },
                {
                  "status": "affected",
                  "version": "5.2.7"
                },
                {
                  "status": "affected",
                  "version": "5.2.8"
                },
                {
                  "status": "affected",
                  "version": "5.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "54357 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in Netgear WG302v2 bis 5.2.9 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion ui_get_input_value. Dank Manipulation des Arguments host mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T17:31:04.131Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-306626 | Netgear WG302v2 ui_get_input_value command injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.306626"
            },
            {
              "name": "VDB-306626 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.306626"
            },
            {
              "name": "Submit #560779 | Netgear WG302v2 5.2.9 Command Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.560779"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_WG302v2/Command_injection-basic_settings_handler-static-ip-update/README.md"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.netgear.com/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-30T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-04-30T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-04-30T15:04:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Netgear WG302v2 ui_get_input_value command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4135",
        "datePublished": "2025-04-30T17:31:04.131Z",
        "dateReserved": "2025-04-30T12:58:57.697Z",
        "dateUpdated": "2025-04-30T18:12:17.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-38921 (GCVE-0-2023-38921)

    Vulnerability from nvd – Published: 2023-08-07 00:00 – Updated: 2024-10-11 14:13
    VLAI
    Summary
    Netgear WG302v2 v5.2.9 and WAG302v2 v5.1.19 were discovered to contain multiple command injection vulnerabilities in the upgrade_handler function via the firmwareRestore and firmwareServerip parameters.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Impacted products
    Vendor Product Version
    netgear wg302v2 Affected: v5.2.9
        cpe:2.3:h:netgear:wg302v2:-:*:*:*:*:*:*:*
    Create a notification for this product.
    netgear wag302v2 Affected: v5.1.19
        cpe:2.3:h:netgear:wag302v2:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:54:39.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.netgear.com/about/security/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/FirmRec/IoT-Vulns/tree/main/netgear/upgrade_handler"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:netgear:wg302v2:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wg302v2",
                "vendor": "netgear",
                "versions": [
                  {
                    "status": "affected",
                    "version": "v5.2.9"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:h:netgear:wag302v2:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wag302v2",
                "vendor": "netgear",
                "versions": [
                  {
                    "status": "affected",
                    "version": "v5.1.19"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38921",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T14:12:52.840555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T14:13:52.918Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netgear WG302v2 v5.2.9 and WAG302v2 v5.1.19 were discovered to contain multiple command injection vulnerabilities in the upgrade_handler function via the firmwareRestore and firmwareServerip parameters."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-07T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.netgear.com/about/security/"
            },
            {
              "url": "https://github.com/FirmRec/IoT-Vulns/tree/main/netgear/upgrade_handler"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-38921",
        "datePublished": "2023-08-07T00:00:00.000Z",
        "dateReserved": "2023-07-25T00:00:00.000Z",
        "dateUpdated": "2024-10-11T14:13:52.918Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-4135 (GCVE-0-2025-4135)

    Vulnerability from cvelistv5 – Published: 2025-04-30 17:31 – Updated: 2025-04-30 18:12
    VLAI
    Title
    Netgear WG302v2 ui_get_input_value command injection
    Summary
    A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Netgear WG302v2 Affected: 5.2.0
    Affected: 5.2.1
    Affected: 5.2.2
    Affected: 5.2.3
    Affected: 5.2.4
    Affected: 5.2.5
    Affected: 5.2.6
    Affected: 5.2.7
    Affected: 5.2.8
    Affected: 5.2.9
    Create a notification for this product.
    Credits
    54357 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4135",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T18:12:09.029886Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T18:12:17.638Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WG302v2",
              "vendor": "Netgear",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.2.0"
                },
                {
                  "status": "affected",
                  "version": "5.2.1"
                },
                {
                  "status": "affected",
                  "version": "5.2.2"
                },
                {
                  "status": "affected",
                  "version": "5.2.3"
                },
                {
                  "status": "affected",
                  "version": "5.2.4"
                },
                {
                  "status": "affected",
                  "version": "5.2.5"
                },
                {
                  "status": "affected",
                  "version": "5.2.6"
                },
                {
                  "status": "affected",
                  "version": "5.2.7"
                },
                {
                  "status": "affected",
                  "version": "5.2.8"
                },
                {
                  "status": "affected",
                  "version": "5.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "54357 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in Netgear WG302v2 bis 5.2.9 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion ui_get_input_value. Dank Manipulation des Arguments host mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T17:31:04.131Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-306626 | Netgear WG302v2 ui_get_input_value command injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.306626"
            },
            {
              "name": "VDB-306626 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.306626"
            },
            {
              "name": "Submit #560779 | Netgear WG302v2 5.2.9 Command Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.560779"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/jylsec/vuldb/blob/main/Netgear/netgear_WG302v2/Command_injection-basic_settings_handler-static-ip-update/README.md"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.netgear.com/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-30T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-04-30T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-04-30T15:04:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Netgear WG302v2 ui_get_input_value command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4135",
        "datePublished": "2025-04-30T17:31:04.131Z",
        "dateReserved": "2025-04-30T12:58:57.697Z",
        "dateUpdated": "2025-04-30T18:12:17.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-38921 (GCVE-0-2023-38921)

    Vulnerability from cvelistv5 – Published: 2023-08-07 00:00 – Updated: 2024-10-11 14:13
    VLAI
    Summary
    Netgear WG302v2 v5.2.9 and WAG302v2 v5.1.19 were discovered to contain multiple command injection vulnerabilities in the upgrade_handler function via the firmwareRestore and firmwareServerip parameters.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Impacted products
    Vendor Product Version
    netgear wg302v2 Affected: v5.2.9
        cpe:2.3:h:netgear:wg302v2:-:*:*:*:*:*:*:*
    Create a notification for this product.
    netgear wag302v2 Affected: v5.1.19
        cpe:2.3:h:netgear:wag302v2:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:54:39.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.netgear.com/about/security/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/FirmRec/IoT-Vulns/tree/main/netgear/upgrade_handler"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:netgear:wg302v2:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wg302v2",
                "vendor": "netgear",
                "versions": [
                  {
                    "status": "affected",
                    "version": "v5.2.9"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:h:netgear:wag302v2:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wag302v2",
                "vendor": "netgear",
                "versions": [
                  {
                    "status": "affected",
                    "version": "v5.1.19"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38921",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T14:12:52.840555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T14:13:52.918Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Netgear WG302v2 v5.2.9 and WAG302v2 v5.1.19 were discovered to contain multiple command injection vulnerabilities in the upgrade_handler function via the firmwareRestore and firmwareServerip parameters."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-07T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.netgear.com/about/security/"
            },
            {
              "url": "https://github.com/FirmRec/IoT-Vulns/tree/main/netgear/upgrade_handler"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-38921",
        "datePublished": "2023-08-07T00:00:00.000Z",
        "dateReserved": "2023-07-25T00:00:00.000Z",
        "dateUpdated": "2024-10-11T14:13:52.918Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }