Details of VAR-202407-2573

ID

VAR-202407-2573

CVE

CVE-2024-41685

TITLE

syrotech of sy-gpon-1110-wdont Improper Permission Assignment Vulnerability for Critical Resources in Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-010159

DESCRIPTION

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system. syrotech of sy-gpon-1110-wdont A firmware vulnerability related to improper assignment of permissions to critical resources.Information may be obtained. SyroTech SY-GPON-1110-WDONT is a wireless router from SyroTech

Trust: 2.16

sources: NVD: CVE-2024-41685 // JVNDB: JVNDB-2024-010159 // CNVD: CNVD-2024-34373

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-34373

AFFECTED PRODUCTS

vendor:	syrotech	model:	sy-gpon-1110-wdont	scope:	-	version:	-	Trust: 1.4
vendor:	syrotech	model:	sy-gpon-1110-wdont	scope:	eq	version:	3.1.02-231102	Trust: 1.0
vendor:	syrotech	model:	sy-gpon-1110-wdont	scope:	eq	version:	-	Trust: 0.8
vendor:	syrotech	model:	sy-gpon-1110-wdont	scope:	eq	version:	sy-gpon-1110-wdont firmware 3.1.02-231102	Trust: 0.8

sources: CNVD: CNVD-2024-34373 // JVNDB: JVNDB-2024-010159 // NVD: CVE-2024-41685

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2024-41685
value:	HIGH
Trust: 1.0
vdisclose@cert-in.org.in:	CVE-2024-41685
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2024-41685
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-34373
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-34373
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2024-41685
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2024-41685
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-34373 // JVNDB: JVNDB-2024-010159 // NVD: CVE-2024-41685 // NVD: CVE-2024-41685

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.0
problemtype:	CWE-1004	Trust: 1.0
problemtype:	HttpOnly Important with no attributes Cookie(CWE-1004) [ others ]	Trust: 0.8
problemtype:	Improper permission assignment for critical resources (CWE-732) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-010159 // NVD: CVE-2024-41685

PATCH

title:

Patch for SyroTech SY-GPON-1110-WDONT Information Disclosure Vulnerability (CNVD-2024-34373)

url:

https://www.cnvd.org.cn/patchInfo/show/575421

Trust: 0.6

sources: CNVD: CNVD-2024-34373

EXTERNAL IDS

db:	NVD	id:	CVE-2024-41685	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-010159	Trust: 0.8
db:	CNVD	id:	CNVD-2024-34373	Trust: 0.6

sources: CNVD: CNVD-2024-34373 // JVNDB: JVNDB-2024-010159 // NVD: CVE-2024-41685

REFERENCES

url:	https://www.cert-in.org.in/s2cmainservlet?pageid=pubvlnotes01&vlcode=civn-2024-0225	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-41685	Trust: 1.4

sources: CNVD: CNVD-2024-34373 // JVNDB: JVNDB-2024-010159 // NVD: CVE-2024-41685

SOURCES

db:	CNVD	id:	CNVD-2024-34373
db:	JVNDB	id:	JVNDB-2024-010159
db:	NVD	id:	CVE-2024-41685

LAST UPDATE DATE

2024-10-12T23:02:44.583000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-34373	date:	2024-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2024-010159	date:	2024-10-11T01:33:00
db:	NVD	id:	CVE-2024-41685	date:	2024-10-10T12:48:12.943

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-34373	date:	2024-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2024-010159	date:	2024-10-11T00:00:00
db:	NVD	id:	CVE-2024-41685	date:	2024-07-26T12:15:02.977