CVE-2023-3991 CRITICAL

CVE-2023-3991: OS command injection vulnerability in FreshTomato 2023.3

Vendor Freshtomato
Product FreshTomato
Weakness CWE-78
Published October 16, 2023
Last update September 16, 2024

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An OS command injection vulnerability exists in the httpd iperfrun.cgi functionality of FreshTomato 2023.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

Key dates

02Disclosure timeline

October 16, 2023 CVE published
September 16, 2024 Record updated