Lucene search

Japan Vulnerability NotesJVN:40613060

HistoryDec 02, 2016 - 12:00 a.m.

JVN#40613060: Multiple vulnerabilities in WNC01WH

2016-12-0200:00:00

Japan Vulnerability Notes

jvn.jp

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.9%

JSON

WNC01WH provided by BUFFALO INC. is a network camera. WNC01WH contains multiple vulnerabilities listed below.

Denial-of-service (DoS) - CVE-2016-7821

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	Base Score: 6.5
CVSS v2	AV:N/AC:H/Au:N/C:N/I:N/A:C	Base Score: 5.4

Cross-site request forgery (CWE-352) - CVE-2016-7822

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N	Base Score: 7.1
CVSS v2	AV:N/AC:H/Au:N/C:P/I:P/A:N	Base Score: 4.0

Stored cross-site scripting (CWE-79) - CVE-2016-7823

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	Base Score: 4.3
CVSS v2	AV:A/AC:L/Au:S/C:N/I:P/A:N	Base Score: 2.7

Enabling debug option - CVE-2016-7824

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.8
CVSS v2	AV:A/AC:L/Au:S/C:N/I:P/A:N	Base Score: 2.7

Directory traversal due to an issue in processing commands (CWE-22) - CVE-2016-7825

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N	Base Score: 2.0
CVSS v2	AV:A/AC:H/Au:S/C:P/I:N/A:N	Base Score: 1.4

Directory traversal due to an issue in processing POST request (CWE-22) - CVE-2016-7826

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H	Base Score: 6.1
CVSS v2	AV:A/AC:L/Au:S/C:N/I:P/A:C	Base Score: 6.2

Impact

If a user views a malicious page while logged-in, the user may not be able to access the management screen - CVE-2016-7821
If a user views a malicious page while logged-in, unintended operations may be conducted - CVE-2016-7822
An arbitrary script may be executed on the logged-in user’s web browser - CVE-2016-7823
An authenticated attacker may enable the debug option - CVE-2016-7824
An authenticated attacker may obtain arbitrary files on the product - CVE-2016-7825
An authenticated attacker may delete arbitrary files on the product - CVE-2016-7826

Solution

Update the Firmware
Update to the latest version of firmware according to the information provided by the developer.

Products Affected

WNC01WH firmware version 1.0.0.8 and earlier

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.9%

JSON

Related for JVN:40613060