Details of VAR-202004-1390

ID

VAR-202004-1390

CVE

CVE-2017-18827

TITLE

plural NETGEAR Cross-site scripting vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014850

DESCRIPTION

Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15. plural NETGEAR A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR M4300-28G, etc. are all managed switches of NETGEAR. The vulnerability stems from the lack of correct verification of client data in WEB applications. An attacker can use this vulnerability to execute client code

Trust: 2.16

sources: NVD: CVE-2017-18827 // JVNDB: JVNDB-2017-014850 // CNVD: CNVD-2021-59152

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-59152

AFFECTED PRODUCTS

vendor:	netgear	model:	m4300-28g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-52g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-8x8f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-12x12f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x24f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-48x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4200	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-28g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4300-52g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4200	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-12x12f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x24f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-48x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-8x8f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6
vendor:	netgear	model:	m4300-52g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6

sources: CNVD: CNVD-2021-59152 // JVNDB: JVNDB-2017-014850 // NVD: CVE-2017-18827

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-18827
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2017-18827
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2017-014850
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-59152
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202004-1632
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-18827
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2017-014850
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-59152
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-18827
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2017-18827
baseSeverity:	MEDIUM
baseScore:	5.2
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.1
impactScore:	3.7
version:	3.0
Trust: 1.0
NVD:	JVNDB-2017-014850
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-59152 // JVNDB: JVNDB-2017-014850 // CNNVD: CNNVD-202004-1632 // NVD: CVE-2017-18827 // NVD: CVE-2017-18827

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-014850 // NVD: CVE-2017-18827

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1632

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202004-1632

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014850

PATCH

title:	Security Advisory for Stored Cross Site Scripting on Some Fully Managed Switches, PSV -2017-1939	url:	https://kb.netgear.com/000049038/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-Fully-Managed-Switches-PSV-2017-1939	Trust: 0.8
title:	Patch for Cross-site scripting vulnerabilities in multiple NETGEAR products (CNVD-2021-59152)	url:	https://www.cnvd.org.cn/patchInfo/show/284411	Trust: 0.6
title:	Multiple NETGEAR Fixes for product cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116952	Trust: 0.6

sources: CNVD: CNVD-2021-59152 // JVNDB: JVNDB-2017-014850 // CNNVD: CNNVD-202004-1632

EXTERNAL IDS

db:	NVD	id:	CVE-2017-18827	Trust: 3.0
db:	JVNDB	id:	JVNDB-2017-014850	Trust: 0.8
db:	CNVD	id:	CNVD-2021-59152	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1632	Trust: 0.6

sources: CNVD: CNVD-2021-59152 // JVNDB: JVNDB-2017-014850 // CNNVD: CNNVD-202004-1632 // NVD: CVE-2017-18827

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2017-18827	Trust: 2.0
url:	https://kb.netgear.com/000049038/security-advisory-for-stored-cross-site-scripting-on-some-fully-managed-switches-psv-2017-1939	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18827	Trust: 0.8

sources: CNVD: CNVD-2021-59152 // JVNDB: JVNDB-2017-014850 // CNNVD: CNNVD-202004-1632 // NVD: CVE-2017-18827

SOURCES

db:	CNVD	id:	CNVD-2021-59152
db:	JVNDB	id:	JVNDB-2017-014850
db:	CNNVD	id:	CNNVD-202004-1632
db:	NVD	id:	CVE-2017-18827

LAST UPDATE DATE

2024-11-23T22:51:26.743000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-59152	date:	2021-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-014850	date:	2020-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202004-1632	date:	2020-04-26T00:00:00
db:	NVD	id:	CVE-2017-18827	date:	2024-11-21T03:21:01.447

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-59152	date:	2021-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-014850	date:	2020-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202004-1632	date:	2020-04-20T00:00:00
db:	NVD	id:	CVE-2017-18827	date:	2020-04-20T17:15:13.477