CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
23.4%
An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
Lantronix XPort EDGE 3.0.0.0R11
Lantronix XPort EDGE 3.1.0.0R9
Lantronix XPort EDGE 3.4.0.0R12
Lantronix XPort EDGE 4.2.0.0R7
Lantronix SGX 5150 8.7.0.0R1
Lantronix SGX 5150 8.9.0.0R4
<https://www.lantronix.com/products/xport-edge/>
4.8 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:N
CWE-352 - Cross-Site Request Forgery (CSRF)
The XPort EDGE is a next-generation wired Ethernet gateway for providing secure Ethernet connectivity to serial devices.
A GET request to the XPort EDGE Web Manager application with a valid username and password will cause a session to be set for that user. Any subsequent requests made by the userβs browser will be granted the same privileges as the original authenticated GET request. An attacker could craft a malicious web page that submits a POST request which would allow an attacker to modify configuration data. Some examples of configuration changes that could be made by an attacker include, enabling or disabling services such as telnet, modification of user credentials, and modifying the serial line configuration. This attack could result in denying access to legitimate users, allowing the attacker to further configure the device through the telnet service, or denying access to the serial line data.
2020-08-10 - Vendor Disclosure
2020-12-16 - Public Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
23.4%