Lucene search

[email protected]NVD:CVE-2021-35956

HistoryJun 30, 2021 - 12:15 p.m.

CVE-2021-35956

2021-06-3012:15:07

CWE-79

[email protected]

web.nvd.nist.gov

stored xss

akcp sensorprobe

remote attackers

arbitrary javascript

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

53.8%

JSON

Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

Affected configurations

Nvd

Node

akcpsensorprobe2_firmwareRange<sp480-20210624

AND

akcpsensorprobe2Match-

Node

akcpsensorprobe4_firmwareRange<sp480-20210624

AND

akcpsensorprobe4Match-

Node

akcpsensorprobe8_firmwareRange<sp480-20210624

AND

akcpsensorprobe8Match-

Node

akcpsensorprobe8-x20_firmwareRange<sp480-20210624

AND

akcpsensorprobe8-x20Match-

Node

akcpsensorprobe8-x60_firmwareRange<sp480-20210624

AND

akcpsensorprobe8-x60Match-

VendorProductVersionCPE
akcpsensorprobe2_firmware*cpe:2.3:o:akcp:sensorprobe2_firmware:*:*:*:*:*:*:*:*
akcpsensorprobe2-cpe:2.3:h:akcp:sensorprobe2:-:*:*:*:*:*:*:*
akcpsensorprobe4_firmware*cpe:2.3:o:akcp:sensorprobe4_firmware:*:*:*:*:*:*:*:*
akcpsensorprobe4-cpe:2.3:h:akcp:sensorprobe4:-:*:*:*:*:*:*:*
akcpsensorprobe8_firmware*cpe:2.3:o:akcp:sensorprobe8_firmware:*:*:*:*:*:*:*:*
akcpsensorprobe8-cpe:2.3:h:akcp:sensorprobe8:-:*:*:*:*:*:*:*
akcpsensorprobe8-x20_firmware*cpe:2.3:o:akcp:sensorprobe8-x20_firmware:*:*:*:*:*:*:*:*
akcpsensorprobe8-x20-cpe:2.3:h:akcp:sensorprobe8-x20:-:*:*:*:*:*:*:*
akcpsensorprobe8-x60_firmware*cpe:2.3:o:akcp:sensorprobe8-x60_firmware:*:*:*:*:*:*:*:*
akcpsensorprobe8-x60-cpe:2.3:h:akcp:sensorprobe8-x60:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
akcp	sensorprobe2_firmware	*	cpe:2.3:o:akcp:sensorprobe2_firmware::::::::
akcp	sensorprobe2	-	cpe:2.3:h:akcp:sensorprobe2:-:::::::*
akcp	sensorprobe4_firmware	*	cpe:2.3:o:akcp:sensorprobe4_firmware::::::::
akcp	sensorprobe4	-	cpe:2.3:h:akcp:sensorprobe4:-:::::::*
akcp	sensorprobe8_firmware	*	cpe:2.3:o:akcp:sensorprobe8_firmware::::::::
akcp	sensorprobe8	-	cpe:2.3:h:akcp:sensorprobe8:-:::::::*
akcp	sensorprobe8-x20_firmware	*	cpe:2.3:o:akcp:sensorprobe8-x20_firmware::::::::
akcp	sensorprobe8-x20	-	cpe:2.3:h:akcp:sensorprobe8-x20:-:::::::*
akcp	sensorprobe8-x60_firmware	*	cpe:2.3:o:akcp:sensorprobe8-x60_firmware::::::::
akcp	sensorprobe8-x60	-	cpe:2.3:h:akcp:sensorprobe8-x60:-:::::::*

References

packetstormsecurity.com/files/163343/AKCP-sensorProbe-SPX476-Cross-Site-Scripting.html

www.akcp.in.th/downloads/Firmwares/SP480-20210624.zip

tbutler.org/2021/06/28/cve-2021-35956

www.akcp.com/support-center/customer-login/sensor-probe-firmware-changelog/

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

53.8%

JSON

Related for NVD:CVE-2021-35956

packetstorm1 exploitdb1 zdt1 prion1 cve1 githubexploit1 cvelist1