Details of VAR-202004-1556

ID

VAR-202004-1556

CVE

CVE-2018-21120

TITLE

plural NETGEAR Cross-site request forgery vulnerability in device

Trust: 0.8

sources: JVNDB: JVNDB-2018-016301

DESCRIPTION

Certain NETGEAR devices are affected by CSRF. This affects WAC120 before 2.1.7, WAC505 before 5.0.5.4, WAC510 before 5.0.5.4, WNAP320 before 3.7.11.4, WNAP210v2 before 3.7.11.4, WNDAP350 before 3.7.11.4, WNDAP360 before 3.7.11.4, WNDAP660 before 3.7.11.4, WNDAP620 before 2.1.7, WND930 before 2.1.5, and WN604 before 3.3.10. plural NETGEAR A cross-site request forgery vulnerability exists in the device.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR WAC505, etc. are all a wireless access point (AP) of NETGEAR company. The vulnerability stems from the fact that the WEB application does not fully verify whether the request comes from a trusted user. An attacker can use this vulnerability to send unexpected requests to the server through the affected client

Trust: 2.16

sources: NVD: CVE-2018-21120 // JVNDB: JVNDB-2018-016301 // CNVD: CNVD-2021-59162

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-59162

AFFECTED PRODUCTS

vendor:	netgear	model:	wac505	scope:	lt	version:	5.0.5.4	Trust: 1.6
vendor:	netgear	model:	wac510	scope:	lt	version:	5.0.5.4	Trust: 1.6
vendor:	netgear	model:	wac120	scope:	lt	version:	2.1.7	Trust: 1.6
vendor:	netgear	model:	wn604	scope:	lt	version:	3.3.10	Trust: 1.6
vendor:	netgear	model:	wnap320	scope:	lt	version:	3.7.11.4	Trust: 1.6
vendor:	netgear	model:	wndap350	scope:	lt	version:	3.7.11.4	Trust: 1.6
vendor:	netgear	model:	wndap360	scope:	lt	version:	3.7.11.4	Trust: 1.6
vendor:	netgear	model:	wndap660	scope:	lt	version:	3.7.11.4	Trust: 1.6
vendor:	netgear	model:	wndap620	scope:	lt	version:	2.1.7	Trust: 1.6
vendor:	netgear	model:	wnd930	scope:	lt	version:	2.1.5	Trust: 1.6
vendor:	netgear	model:	wnap210	scope:	lt	version:	3.7.11.4	Trust: 1.0
vendor:	netgear	model:	wac120	scope:	eq	version:	2.1.7	Trust: 0.8
vendor:	netgear	model:	wac505	scope:	eq	version:	5.0.5.4	Trust: 0.8
vendor:	netgear	model:	wac510	scope:	eq	version:	5.0.5.4	Trust: 0.8
vendor:	netgear	model:	wnap210	scope:	eq	version:	3.7.11.4	Trust: 0.8
vendor:	netgear	model:	wnap320	scope:	eq	version:	3.7.11.4	Trust: 0.8
vendor:	netgear	model:	wnd930	scope:	eq	version:	2.1.5	Trust: 0.8
vendor:	netgear	model:	wndap350	scope:	eq	version:	3.7.11.4	Trust: 0.8
vendor:	netgear	model:	wndap360	scope:	eq	version:	3.7.11.4	Trust: 0.8
vendor:	netgear	model:	wndap620	scope:	eq	version:	2.1.7	Trust: 0.8
vendor:	netgear	model:	wndap660	scope:	eq	version:	3.7.11.4	Trust: 0.8
vendor:	netgear	model:	wnap210v2	scope:	lt	version:	3.7.11.4	Trust: 0.6

sources: CNVD: CNVD-2021-59162 // JVNDB: JVNDB-2018-016301 // NVD: CVE-2018-21120

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-21120
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2018-21120
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2018-016301
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-59162
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202004-1917
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-21120
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2018-016301
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-59162
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-21120
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2018-21120
baseSeverity:	MEDIUM
baseScore:	5.2
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.5
impactScore:	3.6
version:	3.0
Trust: 1.0
NVD:	JVNDB-2018-016301
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-59162 // JVNDB: JVNDB-2018-016301 // CNNVD: CNNVD-202004-1917 // NVD: CVE-2018-21120 // NVD: CVE-2018-21120

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2018-016301 // NVD: CVE-2018-21120

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1917

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202004-1917

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-016301

PATCH

title:	Security Advisory for Cross Site Request Forgery on Some Wireless Access Points, PSV-2018-0095	url:	https://kb.netgear.com/000060238/Security-Advisory-for-Cross-Site-Request-Forgery-on-Some-Wireless-Access-Points-PSV-2018-0095	Trust: 0.8
title:	Patch for Cross-site request forgery vulnerability in multiple NETGEAR products (CNVD-2021-59162)	url:	https://www.cnvd.org.cn/patchInfo/show/284356	Trust: 0.6
title:	Multiple NETGEAR Repair measures for product cross-site request forgery vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117250	Trust: 0.6

sources: CNVD: CNVD-2021-59162 // JVNDB: JVNDB-2018-016301 // CNNVD: CNNVD-202004-1917

EXTERNAL IDS

db:	NVD	id:	CVE-2018-21120	Trust: 3.0
db:	JVNDB	id:	JVNDB-2018-016301	Trust: 0.8
db:	CNVD	id:	CNVD-2021-59162	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1917	Trust: 0.6

sources: CNVD: CNVD-2021-59162 // JVNDB: JVNDB-2018-016301 // CNNVD: CNNVD-202004-1917 // NVD: CVE-2018-21120

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2018-21120	Trust: 2.0
url:	https://kb.netgear.com/000060238/security-advisory-for-cross-site-request-forgery-on-some-wireless-access-points-psv-2018-0095	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-21120	Trust: 0.8

sources: CNVD: CNVD-2021-59162 // JVNDB: JVNDB-2018-016301 // CNNVD: CNNVD-202004-1917 // NVD: CVE-2018-21120

SOURCES

db:	CNVD	id:	CNVD-2021-59162
db:	JVNDB	id:	JVNDB-2018-016301
db:	CNNVD	id:	CNNVD-202004-1917
db:	NVD	id:	CVE-2018-21120

LAST UPDATE DATE

2024-11-23T22:48:01.387000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-59162	date:	2021-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2018-016301	date:	2020-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202004-1917	date:	2020-04-26T00:00:00
db:	NVD	id:	CVE-2018-21120	date:	2024-11-21T04:02:56.987

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-59162	date:	2021-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2018-016301	date:	2020-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202004-1917	date:	2020-04-22T00:00:00
db:	NVD	id:	CVE-2018-21120	date:	2020-04-22T16:15:11.903