Lucene search

MitreCVE-2020-21884

HistoryApr 09, 2021 - 1:15 p.m.

CVE-2020-21884

2021-04-0913:15:13

CWE-352

mitre

web.nvd.nist.gov

unibox

smb

unibox enterprise

csrf

vulnerability

http request

reconfiguration

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.203

Percentile

96.4%

JSON

Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device.

Affected configurations

Nvd

Node

indionetworksunibox_u50_firmwareMatch2.4

AND

indionetworksunibox_u50Match-

Node

indionetworksunibox_u500Match-

AND

indionetworksunibox_u500_firmwareMatch2.4

Node

indionetworksunibox_u1000Match-

AND

indionetworksunibox_u1000_firmwareMatch2.4

Node

indionetworksunibox_u2500Match-

AND

indionetworksunibox_u2500_firmwareMatch2.4

Node

indionetworksunibox_u5000Match-

AND

indionetworksunibox_u5000_firmwareMatch2.4

VendorProductVersionCPE
indionetworksunibox_u50_firmware2.4cpe:2.3:o:indionetworks:unibox_u50_firmware:2.4:*:*:*:*:*:*:*
indionetworksunibox_u50-cpe:2.3:h:indionetworks:unibox_u50:-:*:*:*:*:*:*:*
indionetworksunibox_u500-cpe:2.3:h:indionetworks:unibox_u500:-:*:*:*:*:*:*:*
indionetworksunibox_u500_firmware2.4cpe:2.3:o:indionetworks:unibox_u500_firmware:2.4:*:*:*:*:*:*:*
indionetworksunibox_u1000-cpe:2.3:h:indionetworks:unibox_u1000:-:*:*:*:*:*:*:*
indionetworksunibox_u1000_firmware2.4cpe:2.3:o:indionetworks:unibox_u1000_firmware:2.4:*:*:*:*:*:*:*
indionetworksunibox_u2500-cpe:2.3:h:indionetworks:unibox_u2500:-:*:*:*:*:*:*:*
indionetworksunibox_u2500_firmware2.4cpe:2.3:o:indionetworks:unibox_u2500_firmware:2.4:*:*:*:*:*:*:*
indionetworksunibox_u5000-cpe:2.3:h:indionetworks:unibox_u5000:-:*:*:*:*:*:*:*
indionetworksunibox_u5000_firmware2.4cpe:2.3:o:indionetworks:unibox_u5000_firmware:2.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
indionetworks	unibox_u50_firmware	2.4	cpe:2.3:o:indionetworks:unibox_u50_firmware:2.4:::::::*
indionetworks	unibox_u50	-	cpe:2.3:h:indionetworks:unibox_u50:-:::::::*
indionetworks	unibox_u500	-	cpe:2.3:h:indionetworks:unibox_u500:-:::::::*
indionetworks	unibox_u500_firmware	2.4	cpe:2.3:o:indionetworks:unibox_u500_firmware:2.4:::::::*
indionetworks	unibox_u1000	-	cpe:2.3:h:indionetworks:unibox_u1000:-:::::::*
indionetworks	unibox_u1000_firmware	2.4	cpe:2.3:o:indionetworks:unibox_u1000_firmware:2.4:::::::*
indionetworks	unibox_u2500	-	cpe:2.3:h:indionetworks:unibox_u2500:-:::::::*
indionetworks	unibox_u2500_firmware	2.4	cpe:2.3:o:indionetworks:unibox_u2500_firmware:2.4:::::::*
indionetworks	unibox_u5000	-	cpe:2.3:h:indionetworks:unibox_u5000:-:::::::*
indionetworks	unibox_u5000_firmware	2.4	cpe:2.3:o:indionetworks:unibox_u5000_firmware:2.4:::::::*

References

wifi-soft.com

s3curityb3ast.github.io/KSA-Dev-008.txt

www.mail-archive.com/fulldisclosure%40seclists.org/msg07139.html

Social References

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.203

Percentile

96.4%

JSON

Related for CVE-2020-21884