[Japanese]

JVNDB-2024-000101

Multiple vulnerabilities in PLANEX COMMUNICATIONS network devices

Overview

Multiple network devices (network cameras and a router) provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below.
  • Cross-site request forgery (CWE-352) - CVE-2024-45372
  • Cross-site scripting vulnerability in the web management page (CWE-79) - CVE-2024-45836

CVE-2024-45372
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

CVE-2024-45836
Ryota Honda, Akihito Takeuchi, Daichi Uezono, Junnosuke Kushibiki, Ryu Kuki, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.1 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2024-45372


CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-45836
Affected Products


PLANEX COMMUNICATIONS INC.
  • CS-QR10 all firmware versions (CVE-2024-45836)
  • CS-QR20 all firmware versions (CVE-2024-45836)
  • CS-QR22 all firmware versions (CVE-2024-45836)
  • CS-QR220 all firmware versions (CVE-2024-45836)
  • CS-QR300 all firmware versions (CVE-2024-45836)
  • MZK-DP300N firmware versions 1.04 and earlier (CVE-2024-45372)

Impact

  • Viewing a malicious page while logging in to the web management page of the affected product may lead the user to perform unintended operations such as changing the login password, etc. (CVE-2024-45372)
  • If a logged-in user accesses a specific file, an arbitrary script may be executed on the web browser of the user (CVE-2024-45836)
Solution

CVE-2024-45372
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

CVE-2024-45836
[Stop using the web management page or the products themselves]
The developer states that either the web management page of these products is an unsupported function or the affected products are no longer supported. Therefore, it is recommended that users should stop using the function or the affected products, and use alternative products.
Vendor Information

PLANEX COMMUNICATIONS INC.
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-45372
  2. CVE-2024-45836
References

  1. JVN : JVN#81966868
Revision History

  • [2024/09/24]
      Web page was published