Details of VAR-201906-0773

ID

VAR-201906-0773

CVE

CVE-2017-8332

TITLE

plural Securifi Almond Cross-site scripting vulnerability in device firmware

Trust: 0.8

sources: JVNDB: JVNDB-2017-014539

DESCRIPTION

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking key words passing in the web traffic to prevent kids from watching content that might be deemed unsafe using the web management interface. It seems that the device does not implement any cross-site scripting protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a stored cross-site scripting payload on the user's browser and execute any action on the device provided by the web management interface. Securifi Almond , Almond+ , Almond 2015 The device firmware contains a cross-site scripting vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SecurifiAlmond is a wireless router with a touch screen. Any code or change the user password

Trust: 2.34

sources: NVD: CVE-2017-8332 // JVNDB: JVNDB-2017-014539 // CNVD: CNVD-2019-18748 // VULHUB: VHN-116535 // VULMON: CVE-2017-8332

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-18748

AFFECTED PRODUCTS

vendor:	securifi	model:	almond 2015	scope:	eq	version:	al-r096	Trust: 1.8
vendor:	securifi	model:	almond	scope:	eq	version:	al-r096	Trust: 1.8
vendor:	securifi	model:	almond\+	scope:	eq	version:	al-r096	Trust: 1.0
vendor:	securifi	model:	almond+	scope:	eq	version:	al-r096	Trust: 0.8
vendor:	securifi	model:	almond+ al-r096	scope:	-	version:	-	Trust: 0.6
vendor:	securifi	model:	almond-2015 al-r096	scope:	-	version:	-	Trust: 0.6
vendor:	securifi	model:	almond al-r096	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-18748 // JVNDB: JVNDB-2017-014539 // NVD: CVE-2017-8332

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-8332
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-8332
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-18748
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201906-715
value:	HIGH
Trust: 0.6
VULHUB:	VHN-116535
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-8332
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-8332
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-18748
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-116535
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-8332
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-18748 // VULHUB: VHN-116535 // VULMON: CVE-2017-8332 // JVNDB: JVNDB-2017-014539 // CNNVD: CNNVD-201906-715 // NVD: CVE-2017-8332

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-116535 // JVNDB: JVNDB-2017-014539 // NVD: CVE-2017-8332

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-715

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201906-715

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014539

PATCH

title:	almond	url:	https://www.securifi.com/ja/almond	Trust: 0.8
title:	almondplus	url:	https://www.securifi.com/ja/almondplus	Trust: 0.8
title:	almond-2015	url:	https://www.securifi.com/ja/almond-2015	Trust: 0.8
title:	Patch for SecurifiAlmond Cross-Site Scripting Vulnerability (CNVD-2019-18748)	url:	https://www.cnvd.org.cn/patchInfo/show/164215	Trust: 0.6
title:	Securifi Almond Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93900	Trust: 0.6
title:	IoT_vulnerabilities	url:	https://github.com/ethanhunnt/IoT_vulnerabilities	Trust: 0.1

sources: CNVD: CNVD-2019-18748 // VULMON: CVE-2017-8332 // JVNDB: JVNDB-2017-014539 // CNNVD: CNNVD-201906-715

EXTERNAL IDS

db:	NVD	id:	CVE-2017-8332	Trust: 3.3
db:	PACKETSTORM	id:	153227	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-014539	Trust: 0.8
db:	CNNVD	id:	CNNVD-201906-715	Trust: 0.7
db:	CNVD	id:	CNVD-2019-18748	Trust: 0.6
db:	VULHUB	id:	VHN-116535	Trust: 0.1
db:	VULMON	id:	CVE-2017-8332	Trust: 0.1

sources: CNVD: CNVD-2019-18748 // VULHUB: VHN-116535 // VULMON: CVE-2017-8332 // JVNDB: JVNDB-2017-014539 // PACKETSTORM: 153227 // CNNVD: CNNVD-201906-715 // NVD: CVE-2017-8332

REFERENCES

url:	https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/securifi_almond_plus_sec_issues.pdf	Trust: 3.2
url:	https://seclists.org/bugtraq/2019/jun/8	Trust: 2.4
url:	http://packetstormsecurity.com/files/153227/securifi-almond-2015-buffer-overflow-command-injection-xss-csrf.html	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8332	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8332	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/ethanhunnt/iot_vulnerabilities	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8330	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8333	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8335	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8329	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8337	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8328	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8331	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8336	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8334	Trust: 0.1

CREDITS

Mandar Satam

Trust: 0.1

sources: PACKETSTORM: 153227

SOURCES

db:	CNVD	id:	CNVD-2019-18748
db:	VULHUB	id:	VHN-116535
db:	VULMON	id:	CVE-2017-8332
db:	JVNDB	id:	JVNDB-2017-014539
db:	PACKETSTORM	id:	153227
db:	CNNVD	id:	CNNVD-201906-715
db:	NVD	id:	CVE-2017-8332

LAST UPDATE DATE

2024-11-23T21:52:10.473000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-18748	date:	2019-06-21T00:00:00
db:	VULHUB	id:	VHN-116535	date:	2019-06-21T00:00:00
db:	VULMON	id:	CVE-2017-8332	date:	2019-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-014539	date:	2019-06-25T00:00:00
db:	CNNVD	id:	CNNVD-201906-715	date:	2019-06-24T00:00:00
db:	NVD	id:	CVE-2017-8332	date:	2024-11-21T03:33:46.787

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-18748	date:	2019-06-21T00:00:00
db:	VULHUB	id:	VHN-116535	date:	2019-06-18T00:00:00
db:	VULMON	id:	CVE-2017-8332	date:	2019-06-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-014539	date:	2019-06-25T00:00:00
db:	PACKETSTORM	id:	153227	date:	2019-06-07T15:06:02
db:	CNNVD	id:	CNNVD-201906-715	date:	2019-06-18T00:00:00
db:	NVD	id:	CVE-2017-8332	date:	2019-06-18T21:15:09.840