Multiple Century Systems routers vulnerable to cross-site request forgery


The web interface in multiple Century Systems routers is vulnerable to cross-site request forgery.

Multiple Century Systems Co., Ltd. routers provide a web-based interface for users to configure the routers. The web interface is vulnerable to cross-site request forgery.

Hirotaka Katagiri reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Century Systems Co., Ltd.
  • XR-1100 ver1.6.2 and earlier
  • XR-410 ver1.6.8 and earlier
  • XR-410-L2 ver1.6.1 and earlier
  • XR-440 ver1.7.7 and earlier
  • XR-510 ver3.5.0 and earlier
  • XR-540 ver3.5.2 and earlier
  • XR-640 ver1.6.7 and earlier
  • XR-640-L2 ver1.6.1 and earlier
  • XR-730 ver3.5.0 and earlier


If the administrator views a malicious website while logged onto the web interface, the password and other configuration settings could be modified.

[Update the Software]

For XR-410 and XR-510 users:

Apply the latest version of the firmware provided by the vendor.

XR-410 ver1.6.9
XR-510 ver3.5.3

For other XR series users:

As of 2008 July 22, there are no updates for other XR series from the vendor.
According to the vendor, the updates for other XR series will be released soon.

For more information, refer to the vendor's website.
Vendor Information

Century Systems Co., Ltd.
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-6449

  1. JVN : JVN#67573833
  2. National Vulnerability Database (NVD) : CVE-2008-6449
  3. JVN iPedia (Japanese) : JVNDB-2008-000042
Revision History

  • [2008/07/24]
      Web page published