Sign-up

ID

VAR-201703-1072


CVE

CVE-2017-6366


TITLE

NETGEAR DGN2200 Cross-site request forgery vulnerability in router firmware

Trust: 0.8

sources: JVNDB: JVNDB-2017-002702

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely. NETGEAR DGN2200 is a wireless router product of NETGEAR

Trust: 1.71

sources: NVD: CVE-2017-6366 // JVNDB: JVNDB-2017-002702 // VULHUB: VHN-114569

AFFECTED PRODUCTS

vendor:netgearmodel:dgn2200scope:lteversion:10.0.0.50

Trust: 1.0

vendor:net gearmodel:dgn2200scope:eqversion:10.0.0.20 to 10.0.0.50

Trust: 0.8

vendor:netgearmodel:dgn2200scope:eqversion:10.0.0.50

Trust: 0.6

sources: JVNDB: JVNDB-2017-002702 // CNNVD: CNNVD-201702-935 // NVD: CVE-2017-6366

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-6366
value: HIGH

Trust: 1.0

NVD: CVE-2017-6366
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201702-935
value: MEDIUM

Trust: 0.6

VULHUB: VHN-114569
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-6366
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-114569
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-6366
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-114569 // JVNDB: JVNDB-2017-002702 // CNNVD: CNNVD-201702-935 // NVD: CVE-2017-6366

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-114569 // JVNDB: JVNDB-2017-002702 // NVD: CVE-2017-6366

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-935

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201702-935

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002702

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-114569

PATCH
title:DGN2200url:https://www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx?cid=wmt_netgear_organic
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-002702

EXTERNAL IDS
db:NVDid:CVE-2017-6366
Trust: 2.5
db:EXPLOIT-DBid:41472
Trust: 2.5
db:JVNDBid:JVNDB-2017-002702
Trust: 0.8
db:CNNVDid:CNNVD-201702-935
Trust: 0.7
db:VULHUBid:VHN-114569
Trust: 0.1
sources:
            
            
            VULHUB: VHN-114569 // 
            
            
            
            JVNDB: JVNDB-2017-002702 // 
            
            
            
            CNNVD: CNNVD-201702-935 // 
            
            
            
            NVD: CVE-2017-6366

REFERENCES
url:https://www.exploit-db.com/exploits/41472/
Trust: 2.5
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6366
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-6366
Trust: 0.8
sources:
            
            
            VULHUB: VHN-114569 // 
            
            
            
            JVNDB: JVNDB-2017-002702 // 
            
            
            
            CNNVD: CNNVD-201702-935 // 
            
            
            
            NVD: CVE-2017-6366

SOURCES
db:VULHUBid:VHN-114569
db:JVNDBid:JVNDB-2017-002702
db:CNNVDid:CNNVD-201702-935
db:NVDid:CVE-2017-6366

LAST UPDATE DATE
2024-11-23T22:07:30.254000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-114569date:2017-03-29T00:00:00
db:JVNDBid:JVNDB-2017-002702date:2017-04-26T00:00:00
db:CNNVDid:CNNVD-201702-935date:2017-03-16T00:00:00
db:NVDid:CVE-2017-6366date:2024-11-21T03:29:38.207

SOURCES RELEASE DATE
db:VULHUBid:VHN-114569date:2017-03-15T00:00:00
db:JVNDBid:JVNDB-2017-002702date:2017-04-26T00:00:00
db:CNNVDid:CNNVD-201702-935date:2017-02-28T00:00:00
db:NVDid:CVE-2017-6366date:2017-03-15T14:59:00.853