Details of VAR-202004-1384

ID

VAR-202004-1384

CVE

CVE-2017-18821

TITLE

plural NETGEAR Cross-site scripting vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014930

DESCRIPTION

Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15. plural NETGEAR A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR M4300-28G, etc. are all managed switches of NETGEAR. The vulnerability stems from the lack of correct verification of client data in WEB applications. An attacker can use this vulnerability to execute client code

Trust: 2.16

sources: NVD: CVE-2017-18821 // JVNDB: JVNDB-2017-014930 // CNVD: CNVD-2021-52965

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-52965

AFFECTED PRODUCTS

vendor:	netgear	model:	m4300-28g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-52g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-8x8f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-12x12f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x24f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-48x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4200	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-28g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4300-52g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4200	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-12x12f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x24f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-48x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-8x8f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6
vendor:	netgear	model:	m4300-52g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6

sources: CNVD: CNVD-2021-52965 // JVNDB: JVNDB-2017-014930 // NVD: CVE-2017-18821

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-18821
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2017-18821
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2017-014930
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-52965
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202004-1791
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-18821
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2017-014930
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-52965
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-18821
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2017-18821
baseSeverity:	MEDIUM
baseScore:	5.2
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.1
impactScore:	3.7
version:	3.0
Trust: 1.0
NVD:	JVNDB-2017-014930
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-52965 // JVNDB: JVNDB-2017-014930 // CNNVD: CNNVD-202004-1791 // NVD: CVE-2017-18821 // NVD: CVE-2017-18821

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-014930 // NVD: CVE-2017-18821

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1791

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202004-1791

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014930

PATCH

title:	Security Advisory for Store Cross Site Scripting Vulnerability on Some Fully Managed Switches, PSV-2017-1948	url:	https://kb.netgear.com/000049044/Security-Advisory-for-Store-Cross-Site-Scripting-on-Some-Fully-Managed-Switches-PSV-2017-1948	Trust: 0.8
title:	Patch for Cross-site scripting vulnerabilities in multiple NETGEAR products (CNVD-2021-52965)	url:	https://www.cnvd.org.cn/patchInfo/show/280071	Trust: 0.6

sources: CNVD: CNVD-2021-52965 // JVNDB: JVNDB-2017-014930

EXTERNAL IDS

db:	NVD	id:	CVE-2017-18821	Trust: 3.0
db:	JVNDB	id:	JVNDB-2017-014930	Trust: 0.8
db:	CNVD	id:	CNVD-2021-52965	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1791	Trust: 0.6

sources: CNVD: CNVD-2021-52965 // JVNDB: JVNDB-2017-014930 // CNNVD: CNNVD-202004-1791 // NVD: CVE-2017-18821

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2017-18821	Trust: 2.0
url:	https://kb.netgear.com/000049044/security-advisory-for-store-cross-site-scripting-on-some-fully-managed-switches-psv-2017-1948	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18821	Trust: 0.8

sources: CNVD: CNVD-2021-52965 // JVNDB: JVNDB-2017-014930 // CNNVD: CNNVD-202004-1791 // NVD: CVE-2017-18821

SOURCES

db:	CNVD	id:	CNVD-2021-52965
db:	JVNDB	id:	JVNDB-2017-014930
db:	CNNVD	id:	CNNVD-202004-1791
db:	NVD	id:	CVE-2017-18821

LAST UPDATE DATE

2024-11-23T23:11:27.053000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-52965	date:	2021-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-014930	date:	2020-05-22T00:00:00
db:	CNNVD	id:	CNNVD-202004-1791	date:	2020-04-26T00:00:00
db:	NVD	id:	CVE-2017-18821	date:	2024-11-21T03:21:00.443

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-52965	date:	2020-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-014930	date:	2020-05-22T00:00:00
db:	CNNVD	id:	CNNVD-202004-1791	date:	2020-04-21T00:00:00
db:	NVD	id:	CVE-2017-18821	date:	2020-04-21T14:15:11.083