CVE-2023-34354

2023-10-1116:15:13

CWE-80

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-34354

stored xss

cross-site scripting

peplink surf soho hw1

security vulnerability

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.4%

JSON

A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user’s browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Affected configurations

Vulners

NVD

Node

peplinksurf_sohoRange≤v6.3.5 (in QEMU)

VendorProductVersionCPE
peplinksurf_soho*cpe:2.3:h:peplink:surf_soho:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
peplink	surf_soho	*	cpe:2.3:h:peplink:surf_soho::::::::

CNA Affected

[
  {
    "vendor": "Peplink",
    "product": "Surf SOHO HW1",
    "versions": [
      {
        "version": "v6.3.5 (in QEMU)",
        "status": "affected"
      }
    ]
  }
]