Details of VAR-202004-1391

ID

VAR-202004-1391

CVE

CVE-2017-18828

TITLE

plural NETGEAR Cross-site scripting vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014851

DESCRIPTION

Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15. plural NETGEAR A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR M4300-28G, etc. are all managed switches of NETGEAR. The vulnerability stems from the lack of correct verification of client data in the WEB application. An attacker can use this vulnerability to execute client code

Trust: 2.16

sources: NVD: CVE-2017-18828 // JVNDB: JVNDB-2017-014851 // CNVD: CNVD-2020-42022

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-42022

AFFECTED PRODUCTS

vendor:	netgear	model:	m4300-28g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-52g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-8x8f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-12x12f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x24f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-48x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4200	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-28g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4300-52g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4200	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-12x12f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x24f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-48x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-8x8f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6
vendor:	netgear	model:	m4300-52g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6

sources: CNVD: CNVD-2020-42022 // JVNDB: JVNDB-2017-014851 // NVD: CVE-2017-18828

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-18828
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2017-18828
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2017-014851
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-42022
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202004-1630
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-18828
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2017-014851
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-42022
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-18828
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2017-18828
baseSeverity:	MEDIUM
baseScore:	5.2
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.1
impactScore:	3.7
version:	3.0
Trust: 1.0
NVD:	JVNDB-2017-014851
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-42022 // JVNDB: JVNDB-2017-014851 // CNNVD: CNNVD-202004-1630 // NVD: CVE-2017-18828 // NVD: CVE-2017-18828

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-014851 // NVD: CVE-2017-18828

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1630

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202004-1630

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014851

PATCH

title:	Security Advisory for Stored Cross Site Scripting on Some Fully Managed Switches, PSV -2017-1938	url:	https://kb.netgear.com/000049033/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-Fully-Managed-Switches-PSV-2017-1938	Trust: 0.8
title:	Patch for Cross-site scripting vulnerabilities in multiple NETGEAR products (CNVD-2020-42022)	url:	https://www.cnvd.org.cn/patchInfo/show/227037	Trust: 0.6
title:	Multiple NETGEAR Fixes for product cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116950	Trust: 0.6

sources: CNVD: CNVD-2020-42022 // JVNDB: JVNDB-2017-014851 // CNNVD: CNNVD-202004-1630

EXTERNAL IDS

db:	NVD	id:	CVE-2017-18828	Trust: 3.0
db:	JVNDB	id:	JVNDB-2017-014851	Trust: 0.8
db:	CNVD	id:	CNVD-2020-42022	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1630	Trust: 0.6

sources: CNVD: CNVD-2020-42022 // JVNDB: JVNDB-2017-014851 // CNNVD: CNNVD-202004-1630 // NVD: CVE-2017-18828

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2017-18828	Trust: 2.0
url:	https://kb.netgear.com/000049033/security-advisory-for-stored-cross-site-scripting-on-some-fully-managed-switches-psv-2017-1938	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18828	Trust: 0.8

sources: CNVD: CNVD-2020-42022 // JVNDB: JVNDB-2017-014851 // CNNVD: CNNVD-202004-1630 // NVD: CVE-2017-18828

SOURCES

db:	CNVD	id:	CNVD-2020-42022
db:	JVNDB	id:	JVNDB-2017-014851
db:	CNNVD	id:	CNNVD-202004-1630
db:	NVD	id:	CVE-2017-18828

LAST UPDATE DATE

2024-11-23T22:29:39.012000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-42022	date:	2020-07-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-014851	date:	2020-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202004-1630	date:	2020-04-26T00:00:00
db:	NVD	id:	CVE-2017-18828	date:	2024-11-21T03:21:01.607

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-42022	date:	2020-07-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-014851	date:	2020-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202004-1630	date:	2020-04-20T00:00:00
db:	NVD	id:	CVE-2017-18828	date:	2020-04-20T17:15:13.697