[Japanese]
|
JVNDB-2024-000088
|
Multiple vulnerabilities in ELECOM wireless LAN routers and access points
|
Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
* Cross-site scripting vulnerability due to an improper processing of input values in easysetup.cgi and menu.cgi (CWE-79) - CVE-2024-34577, CVE-2024-42412
* Missing authentication in Telnet function (CWE-306) - CVE-2024-39300
* Stack-based buffer overflow due to an improper processing of input values in common.cgi (CWE-121) - CVE-2024-43689
CVE-2024-34577
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-39300
SASABE Tetsuro reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-42412, CVE-2024-43689
RyotaK of Flatt Security Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-43689
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-34577, CVE-2024-42412
|
CVSS V3 Severity:
Base Metrics 8.1 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-39300
|
|
ELECOM CO.,LTD.
- WAB-I1750-PS v1.5.10 and earlier (CVE-2024-39300, CVE-2024-42412, CVE-2024-43689)
- WAB-S1167-PS v1.5.6 and earlier (CVE-2024-42412, CVE-2024-43689)
- WRC-X3000GS2-B firmware v1.08 and earlier (CVE-2024-34577)
- WRC-X3000GS2-W firmware v1.08 and earlier (CVE-2024-34577)
- WRC-X3000GS2A-B firmware v1.08 and earlier (CVE-2024-34577)
|
|
* If a user views a malicious web page while logged in to the product, an arbitrary script may be executed on the user's web browser (CVE-2024-34577, CVE-2024-42412)
* When Telnet function of the product is enabled, a remote attacker may login to the product without authentication and alter the product's settings (CVE-2024-39300)
* By processing a specially crafted HTTP request, an arbitrary code may be executed (CVE-2024-43689)
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
|
ELECOM CO.,LTD.
|
- Buffer Errors(CWE-119) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2024-34577
- CVE-2024-39300
- CVE-2024-42412
- CVE-2024-43689
|
- JVN : JVN#24885537
|
- [2024/08/27]
Web page was published
|