Japan Vulnerability NotesJVN:38248512JVN#38248512: Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.3%
Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities listed below.
Aterm WF800HP:
Cross-site Scripting (CWE-79) - CVE-2021-20620
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1 |
| CVSS v2 | AV:N/AC:M/Au:N/C:N/I:P/A:N | Base Score: 4.3 |
**Aterm WG2600HP and Aterm WG2600HP2:**Improper Access Control (CWE-284) - CVE-2017-12575
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Base Score: 7.5 |
| CVSS v2 | AV:N/AC:M/Au:N/C:P/I:N/A:N | Base Score: 4.3 |
Cross-Site Request Forgery (CWE-352) - CVE-2021-20621
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Cross-site Scripting (CWE-79) - CVE-2021-20622
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Impact
- An arbitrary script may be executed on the user’s web browser - CVE-2021-20620
- A remote attacker may obtain and/or alter the settings stored in the device - CVE-2017-12575
- If a user accesses a specially crafted page while logged in, unintended operations may be performed - CVE-2021-20621
- An arbitrary script may be executed on the logged in user’s web browser - CVE-2021-20622
Solution
Apply workaround For the users of Aterm WF800HP:
Applying the following workaround may mitigate the impacts of the vulnerability.
- When accessing a website, use a URL obtained from a trusted source and register it to the bookmark. For subsequent accesses, use the URL registered in the bookmark.
Update the firmware For the users of Aterm WG2600HP and Aterm WG2600HP2:
Update the firmware to the latest version according to the information provided by the developer.
Products Affected
- Aterm WF800HP firmware all versions
- Aterm WG2600HP firmware Ver1.0.13 and earlier
- Aterm WG2600HP2 firmware Ver1.0.3 and earlier
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.3%