[Japanese]
|
JVNDB-2018-000015
|
Multiple vulnerabilities in FS010W
|
FS010W provided by FUJI SOFT INCORPORATED is a WiFi router. FS010W contains multiple vulnerabilities listed below.
* Stored cross-site scripting (CWE-79) - CVE-2018-0519
* Cross-site request forgery (CWE-352) - CVE-2018-0520
Manabu Kobayashi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 7.1 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity: Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0520
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: Required: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.7 (Low)
[IPA Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0519
|
|
FUJISOFT INCORPORATED
- FS010W firmware FS010W_00_V1.3.0 and earlier
|
|
The possible impact of each vulnerability is as follows:
* An arbitrary script may be executed on the web browser of a user who is logging in the setting tool of the device - CVE-2018-0519
* If a user views a malicious page while logged in the setting tool of the affected product, unintended operations such as changing settings of the device may be conducted. - CVE-2018-0520
|
[Apply Workarounds]
Applying all workarounds listed below may mitigate the impacts of these vulnerabilities.
* Change the initial login password set in the setting tool
* Do not access other websites while logged into the setting tool
* Close the web browser after completing settings of the device using the setting tool
|
FUJISOFT INCORPORATED
|
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2018-0519
- CVE-2018-0520
|
- JVN : JVN#83834277
- National Vulnerability Database (NVD) : CVE-2018-0519
- National Vulnerability Database (NVD) : CVE-2018-0520
|
- [2018/02/22]
Web page was published
- [2018/04/11]
References : Contents were added
|