7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%
Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
Improper Access Control (CWE-284) - CVE-2021-20643
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | Base Score: 5.3 |
CVSS v2 | AV:N/AC:L/Au:N/C:N/I:P/A:N | Base Score: 5.0 |
Script injection in web setup page (CWE-74) - CVE-2021-20644
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.2 |
CVSS v2 | AV:A/AC:L/Au:N/C:N/I:P/A:N | Base Score: 3.3 |
Stored cross-site scripting (CWE-79) - CVE-2021-20645
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
OS command injection (CWE-78) - CVE-2021-20648
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | Base Score: 6.8 |
CVSS v2 | AV:A/AC:L/Au:S/C:P/I:P/A:P | Base Score: 5.2 |
Improper server certificate verification (CWE-295) - CVE-2021-20649
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | Base Score: 4.8 |
CVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:N | Base Score: 4.0 |
OS command injection via UPnP (CWE-78) - CVE-2014-8361
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Base Score: 8.8 |
CVSS v2 | AV:A/AC:L/Au:N/C:P/I:P/A:P | Base Score: 5.0 |
Stop using the products
The developer states these vulnerable products are no longer supported, therefore stop using the products.
Also according to the developer, the following workarounds may mitigate some of the effects of these issues.
Apply a Workaround CVE-2021-20645, CVE-2021-20646, CVE-2021-20647, CVE-2021-20648, CVE-2021-20650
Change web setup page’s log in password.
Do not access other websites while logged in to the web setup page.
Close the web browser after the operation is finished on the web setup page.
Delete password of web setup page stored in web browser.
CVE-2021-20649
Do not execute the firmware’s “Check for update files” function.
For detailed setting change process, refer to User’s Manual for the products.
CVE-2014-8361
Disable UPnP.
CVE-2021-20643
LD-PS/U1
CVE-2021-20644
WRC-1467GHBK-A
CVE-2021-20645, CVE-2021-20646
WRC-300FEBK-A
CVE-2021-20647, CVE-2021-20648, CVE-2021-20649
WRC-300FEBK-S
CVE-2021-20650
NCC-EWF100RMWH2
CVE-2014-8361
WRC-300FEBK
WRC-F300NF
WRC-300FEBK-S
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%