Lucene search

[email protected]CVE-2017-8836

HistoryJun 05, 2017 - 2:29 p.m.

CVE-2017-8836

2017-06-0514:29:00

CWE-352

[email protected]

web.nvd.nist.gov

csrf

peplink

balance

security

vulnerability

firmware

cgi

exploit

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

58.4%

JSON

CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface.

CPENameOperatorVersion
peplink:b305hw2_firmwarepeplink b305hw2 firmwareeq7.0.1
peplink:380hw6_firmwarepeplink 380hw6 firmwareeq7.0.1
peplink:580hw2_firmwarepeplink 580hw2 firmwareeq7.0.1
peplink:710hw3_firmwarepeplink 710hw3 firmwareeq7.0.1
peplink:1350hw2_firmwarepeplink 1350hw2 firmwareeq7.0.1
peplink:2500_firmwarepeplink 2500 firmwareeq7.0.1

CPE	Name	Operator	Version
peplink:b305hw2_firmware	peplink b305hw2 firmware	eq	7.0.1
peplink:380hw6_firmware	peplink 380hw6 firmware	eq	7.0.1
peplink:580hw2_firmware	peplink 580hw2 firmware	eq	7.0.1
peplink:710hw3_firmware	peplink 710hw3 firmware	eq	7.0.1
peplink:1350hw2_firmware	peplink 1350hw2 firmware	eq	7.0.1
peplink:2500_firmware	peplink 2500 firmware	eq	7.0.1