[Japanese]

JVNDB-2021-000069

Optical BB unit E-WMTA2.3 vulnerable to cross-site request forgery

Overview

Optical BB unit E-WMTA2.3 provided by SoftBank contains a cross-site request forgery vulnerability (CWE-352).

Hiroki Nishino reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


SoftBank
  • Optical BB unit E-WMTA 2.3

Impact

If a user views a malicious page while logged in, unintended operations may be performed.
Solution

[Update the firmware]
According to the developer, the fixed firmware for this vulnerability has been released in December 2020, and the update is applied automatically.
Vendor Information

SoftBank
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20783
References

  1. JVN : JVN#34364599
  2. National Vulnerability Database (NVD) : CVE-2021-20783
Revision History

  • [2021/07/14]
      Web page was published