Details of VAR-202004-1468

ID

VAR-202004-1468

CVE

CVE-2017-18708

TITLE

NETGEAR R8500 and R8300 cross-site request forgery vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-28008 // CNNVD: CNNVD-202004-2097

DESCRIPTION

Certain NETGEAR devices are affected by CSRF. This affects R8300 before 1.0.2.94 and R8500 before 1.0.2.94. NETGEAR R8300 and R8500 A cross-site request forgery vulnerability exists in the device.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR R8500 and NETGEAR R8300 are both wireless routers of NETGEAR. This vulnerability stems from the fact that WEB applications have not fully verified whether requests come from trusted users. Attackers can use this vulnerability The server sent an unexpected request. This affects R8300 prior to 1.0.2.94 and R8500 prior to 1.0.2.94

Trust: 2.25

sources: NVD: CVE-2017-18708 // JVNDB: JVNDB-2017-015006 // CNVD: CNVD-2020-28008 // VULMON: CVE-2017-18708

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-28008

AFFECTED PRODUCTS

vendor:	netgear	model:	r8300	scope:	lt	version:	1.0.2.94	Trust: 1.6
vendor:	netgear	model:	r8500	scope:	lt	version:	1.0.2.94	Trust: 1.6
vendor:	netgear	model:	r8300	scope:	eq	version:	1.0.2.94	Trust: 0.8
vendor:	netgear	model:	r8500	scope:	eq	version:	1.0.2.94	Trust: 0.8

sources: CNVD: CNVD-2020-28008 // JVNDB: JVNDB-2017-015006 // NVD: CVE-2017-18708

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-18708
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2017-18708
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2017-015006
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-28008
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202004-2097
value:	HIGH
Trust: 0.6
VULMON:	CVE-2017-18708
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-18708
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2017-015006
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-28008
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-18708
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2017-18708
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	JVNDB-2017-015006
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-28008 // VULMON: CVE-2017-18708 // JVNDB: JVNDB-2017-015006 // CNNVD: CNNVD-202004-2097 // NVD: CVE-2017-18708 // NVD: CVE-2017-18708

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2017-015006 // NVD: CVE-2017-18708

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2097

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202004-2097

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-015006

PATCH

title:	Security Advisory for Cross-Site Request Forgery on Some Routers, PSV-2017-0336	url:	https://kb.netgear.com/000053157/Security-Advisory-for-Cross-Site-Request-Forgery-on-Some-Routers-PSV-2017-0336	Trust: 0.8
title:	Patch for NETGEAR R8500 and R8300 cross-site request forgery vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/217305	Trust: 0.6
title:	NETGEAR R8500 and R8300 Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117020	Trust: 0.6

sources: CNVD: CNVD-2020-28008 // JVNDB: JVNDB-2017-015006 // CNNVD: CNNVD-202004-2097

EXTERNAL IDS

db:	NVD	id:	CVE-2017-18708	Trust: 3.1
db:	JVNDB	id:	JVNDB-2017-015006	Trust: 0.8
db:	CNVD	id:	CNVD-2020-28008	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-2097	Trust: 0.6
db:	VULMON	id:	CVE-2017-18708	Trust: 0.1

sources: CNVD: CNVD-2020-28008 // VULMON: CVE-2017-18708 // JVNDB: JVNDB-2017-015006 // CNNVD: CNNVD-202004-2097 // NVD: CVE-2017-18708

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2017-18708	Trust: 2.0
url:	https://kb.netgear.com/000053157/security-advisory-for-cross-site-request-forgery-on-some-routers-psv-2017-0336	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18708	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-28008 // VULMON: CVE-2017-18708 // JVNDB: JVNDB-2017-015006 // CNNVD: CNNVD-202004-2097 // NVD: CVE-2017-18708

SOURCES

db:	CNVD	id:	CNVD-2020-28008
db:	VULMON	id:	CVE-2017-18708
db:	JVNDB	id:	JVNDB-2017-015006
db:	CNNVD	id:	CNNVD-202004-2097
db:	NVD	id:	CVE-2017-18708

LAST UPDATE DATE

2024-11-23T23:11:26.950000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-28008	date:	2020-05-13T00:00:00
db:	VULMON	id:	CVE-2017-18708	date:	2020-05-01T00:00:00
db:	JVNDB	id:	JVNDB-2017-015006	date:	2020-06-03T00:00:00
db:	CNNVD	id:	CNNVD-202004-2097	date:	2020-05-06T00:00:00
db:	NVD	id:	CVE-2017-18708	date:	2024-11-21T03:20:43.167

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-28008	date:	2020-05-13T00:00:00
db:	VULMON	id:	CVE-2017-18708	date:	2020-04-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-015006	date:	2020-06-03T00:00:00
db:	CNNVD	id:	CNNVD-202004-2097	date:	2020-04-24T00:00:00
db:	NVD	id:	CVE-2017-18708	date:	2020-04-24T14:15:12.607