Details of VAR-201909-0723

ID

VAR-201909-0723

CVE

CVE-2019-16533

TITLE

DrayTek Vigor2925 Cross-site scripting vulnerability in device firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-009608

DESCRIPTION

On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS. NOTE: this is an end-of-life product. DrayTek Vigor2925 The device firmware contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. DrayTek Vigor2925 is a wireless firewall router produced by DrayTek, Taiwan. The vulnerability is caused by the lack of correct verification of client data in the WEB application. Attackers can use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2019-16533 // JVNDB: JVNDB-2019-009608 // CNVD: CNVD-2020-53296 // VULHUB: VHN-148689

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-53296

AFFECTED PRODUCTS

vendor:

draytek

model:

vigor2925

scope:

version:

3.8.4.3

Trust: 2.4

sources: CNVD: CNVD-2020-53296 // JVNDB: JVNDB-2019-009608 // NVD: CVE-2019-16533

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16533
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-16533
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-53296
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201909-993
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-148689
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16533
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-53296
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-148689
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-16533
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2019-16533
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-53296 // VULHUB: VHN-148689 // JVNDB: JVNDB-2019-009608 // CNNVD: CNNVD-201909-993 // NVD: CVE-2019-16533

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-148689 // JVNDB: JVNDB-2019-009608 // NVD: CVE-2019-16533

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-993

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201909-993

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009608

PATCH

title:

Top Page

url:

https://www.draytek.com/

Trust: 0.8

sources: JVNDB: JVNDB-2019-009608

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16533	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-009608	Trust: 0.8
db:	CNNVD	id:	CNNVD-201909-993	Trust: 0.7
db:	CNVD	id:	CNVD-2020-53296	Trust: 0.6
db:	VULHUB	id:	VHN-148689	Trust: 0.1

sources: CNVD: CNVD-2020-53296 // VULHUB: VHN-148689 // JVNDB: JVNDB-2019-009608 // CNNVD: CNNVD-201909-993 // NVD: CVE-2019-16533

REFERENCES

url:	https://www.facebook.com/huang.yuhsiang.phone/posts/1815316691945755	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16533	Trust: 2.0
url:	https://www.draytek.com/about/security-advisory/urgent-security-updates-to-draytek-routers	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16533	Trust: 0.8

sources: CNVD: CNVD-2020-53296 // VULHUB: VHN-148689 // JVNDB: JVNDB-2019-009608 // CNNVD: CNNVD-201909-993 // NVD: CVE-2019-16533

SOURCES

db:	CNVD	id:	CNVD-2020-53296
db:	VULHUB	id:	VHN-148689
db:	JVNDB	id:	JVNDB-2019-009608
db:	CNNVD	id:	CNNVD-201909-993
db:	NVD	id:	CVE-2019-16533

LAST UPDATE DATE

2024-11-23T22:16:50.015000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-53296	date:	2020-09-23T00:00:00
db:	VULHUB	id:	VHN-148689	date:	2020-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-009608	date:	2019-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201909-993	date:	2020-04-07T00:00:00
db:	NVD	id:	CVE-2019-16533	date:	2024-11-21T04:30:46.747

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-53296	date:	2020-08-20T00:00:00
db:	VULHUB	id:	VHN-148689	date:	2019-09-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-009608	date:	2019-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201909-993	date:	2019-09-20T00:00:00
db:	NVD	id:	CVE-2019-16533	date:	2019-09-20T16:15:13.553