[Japanese]

JVNDB-2023-009619

OS command injection vulnerability in DT900

Overview

DT900 contains an OS command injection vulnerability.

reported by Mr. Gianluca Altomani. for NEC-PSIRT
CVSS Severity (What is CVSS?)

Affected Products


NEC Corporation
  • ITK-12D-1(BK)TEL firmware (USA)
  • ITK-12D-1P(BK)TEL firmware (Europe/Asia)
  • ITK-12DG-1P(BK)TEL firmware (Europe/Asia)
  • ITK-32LCG-1P(BK)TEL firmware (Europe/Asia)
  • ITK-32LCGS-1(BK)TEL firmware (USA)
  • ITK-32LCGS-1A(BK)TEL firmware (Australia)
  • ITK-32LCGS-1P(BK)TEL firmware (Europe/Asia)
  • ITK-32TCG-1P(BK)TEL firmware (Europe/Asia)
  • ITK-32TCGS-1(BK)REL firmware (USA)
  • ITK-32TCGS-1A(BK)TEL firmware (Australia)
  • ITK-32TCGS-1P(BK)TEL firmware (Europe/Asia)
  • ITK-6D-1(BK)TEL firmware (USA)
  • ITK-6D-1P(BK)TEL firmware (Europe/Asia)
  • ITK-6DG-1P(BK)TEL firmware (Europe/Asia)
  • ITK-6DGS-1(BK)TEL firmware (USA)
  • ITK-6DGS-1A(BK)TEL firmware (Australia)
  • ITK-6DGS-1P(BK)TEL firmware (Europe/Asia)
  • ITK-8LCG-1P(BK)TEL firmware (Europe/Asia)
  • ITK-8LCX-1(BK)TEL firmware (USA)
  • ITK-8LCX-1P(BK)TEL firmware (Europe/Asia)
  • ITK-8TCGX-1(BK)TEL firmware (USA)
  • ITK-8TCGX-1P(BK)TEL firmware (Europe/Asia)

Please refer to Vendor Information for more details.
Impact

Regarding the impact of the vulnerability, please refer to the vendor advisory.
Solution

Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Vendor Evaluation]
CVE (What is CVE?)

  1. CVE-2023-3741
References

  1. National Vulnerability Database (NVD) : CVE-2023-3741
Revision History

  • [2023/12/06]
      Web page was published

Date Public2023/11/29
Date First Published2023/12/06
Date Last Updated2023/12/06