|
[Japanese]
|
JVNDB-2023-000071
|
Multiple vulnerabilities in multiple ELECOM wireless LAN routers and wireless LAN repeaters
|
|
Wireless LAN routers and wireless LAN repeaters provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2023-37560
* Open Redirect (CWE-601) - CVE-2023-37561
* Cross-Site Request Forgery (CWE-352) - CVE-2023-37562
* Information disclosure (CWE-200) - CVE-2023-37563
* OS Command Injection (CWE-78) - CVE-2023-37564
* Code Injection (CWE-94) - CVE-2023-37565
CVE-2023-37560
Yamaguchi Kakeru reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-37561, CVE-2023-37562
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-37563
Shu Yoshikoshi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC during the same period, and JPCERT/CC coordinated with the developer.
CVE-2023-37564
Shu Yoshikoshi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-37565
MASAHIRO IIDA and SHUTA IDE of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.7 (High) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-37564
|
CVSS V3 Severity:
Base Metrics
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-37560
|
CVSS V3 Severity:
Base Metrics
4.7 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-37561
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-37562
|
CVSS V3 Severity:
Base Metrics
6.5 (Medium) [IPA Score]
-
Attack Vector: Adjacent Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
3.3 (Low)
[IPA Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-37563
|
CVSS V3 Severity:
Base Metrics
6.8 (Medium) [IPA Score]
-
Attack Vector: Adjacent Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
5.2 (Medium)
[IPA Score]
-
Access Vector: Adjacent Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-37565
|
|
|
ELECOM CO.,LTD.
- WRC-1167FEBK-A v1.18 and earlier (CVE-2023-37563, CVE-2023-37564, CVE-2023-37565)
- WRC-1167FEBK-S v1.04 and earlier (CVE-2023-37563, CVE-2023-37564, CVE-2023-37565)
- WRC-1167GEBK-S v1.03 and earlier (CVE-2023-37563, CVE-2023-37564, CVE-2023-37565)
- WRC-1167GHBK-S v1.03 and earlier (CVE-2023-37563, CVE-2023-37564, CVE-2023-37565)
- WRC-1167GHBK3-A v1.24 and earlier (CVE-2023-37563, CVE-2023-37564, CVE-2023-37565)
- WRC-1467GHBK-A all versions (CVE-2023-37563)
- WRC-1467GHBK-S all versions (CVE-2023-37563)
- WRC-1900GHBK-A all versions (CVE-2023-37563)
- WRC-1900GHBK-S all versions (CVE-2023-37563)
- WRC-600GHBK-A all versions (CVE-2023-37563)
- WRC-733FEBK2-A all versions (CVE-2023-37563)
- WRC-F1167ACF firmware all versions (CVE-2023-37563)
- WRH-300WH-H v2.12 and earlier (CVE-2023-37560, CVE-2023-37561)
- WTC-300HWH v1.09 and earlier (CVE-2023-37560, CVE-2023-37561)
- WTC-C1167GC-B v1.17 and earlier (CVE-2023-37561, CVE-2023-37562)
- WTC-C1167GC-W v1.17 and earlier (CVE-2023-37561, CVE-2023-37562)
|
|
|
* An arbitrary script may be executed on a logged-in user's web browser - CVE-2023-37560
* When accessing a specially crafted URL, the user of the website using the affected product may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack - CVE-2023-37561
* If a user views a malicious page while logged in, unintended operations may be performed - CVE-2023-37562
* A network-adjacent attacker who can access the affected product may obtain sensitive information - CVE-2023-37563
* A network-adjacent authenticated attacker may execute an arbitrary OS command with root privilege by sending a specially crafted request - CVE-2023-37564
* A network-adjacent authenticated attacker may execute an arbitrary OS command by sending a specially crafted request - CVE-2023-37565
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
[Stop using the products]
Some vulnerable products are no longer supported. For more information, refer to the security advisory from the developer and stop using the products.
|
|
ELECOM CO.,LTD.
|
|
- Information Exposure(CWE-200) [IPA Evaluation]
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- Code Injection(CWE-94) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2023-37560
- CVE-2023-37561
- CVE-2023-37562
- CVE-2023-37563
- CVE-2023-37564
- CVE-2023-37565
|
|
- JVN : JVN#05223215
- National Vulnerability Database (NVD) : CVE-2023-37560
- National Vulnerability Database (NVD) : CVE-2023-37561
- National Vulnerability Database (NVD) : CVE-2023-37562
- National Vulnerability Database (NVD) : CVE-2023-37563
- National Vulnerability Database (NVD) : CVE-2023-37564
- National Vulnerability Database (NVD) : CVE-2023-37565
|
|
- [2023/07/11]
Web page was published
- [2023/08/10]
Affected Products : Products were added
Solution was modified
Vendor Information : Content was added
- [2024/03/29]
References : Contents were added
|
