Lucene search

[email protected]NVD:CVE-2023-34354

HistoryOct 11, 2023 - 4:15 p.m.

CVE-2023-34354

2023-10-1116:15:13

CWE-79

CWE-80

[email protected]

web.nvd.nist.gov

stored cross-site scripting

peplink surf soho hw1

qemu

http request

arbitrary javascript execution

authenticated

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

4.4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.4%

JSON

A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user’s browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Affected configurations

NVD

Node

peplinksurf_soho_firmwareMatch6.3.5

AND

peplinksurf_sohoMatchhw1

References

talosintelligence.com/vulnerability_reports/TALOS-2023-1781