CVE-2017-8836

{"id": "CVE-2017-8836", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-06-05T14:29:00.450", "references": [{"url": "http://seclists.org/bugtraq/2017/Jun/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/42130/", "source": "cve@mitre.org"}, {"url": "https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo CSRF en dispositivos Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versi\u00f3n de firmware anterior a fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Los scripts CGI en la interfaz administrativa est\u00e1n afectados. Esto permite que un atacante ejecute comandos, si un usuario ha iniciado sesi\u00f3n visita un sitio web malicioso. Esto puede ser usado, por ejemplo, para cambiar las credenciales de la interfaz web administrativa."}], "lastModified": "2017-08-13T01:29:22.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:peplink:b305hw2_firmware:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C934DEA3-D52B-4780-9DB1-DB0892AC5F81"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:peplink:balance_305:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C9CB13A7-2179-46F5-9305-40AFBDE3F0F7"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:peplink:380hw6_firmware:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3AF409A3-1B36-4F46-A1CC-AFBEFA517201"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:peplink:balance_380:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "277BC849-D50C-407D-8A05-CA81E9742AA0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:peplink:580hw2_firmware:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E44985F4-9377-41F4-BE49-B9E65A5FD9FF"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:peplink:balance_580:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CD7DF9BE-5519-40CF-832F-DC1FE0913973"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:peplink:710hw3_firmware:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "584B6897-48D1-4618-9343-43AC251CD691"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:peplink:balance_710:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6D5E9E4F-7786-4A7A-A04D-AB9DB420703A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:peplink:1350hw2_firmware:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6FD22ED-88A6-44E3-A99D-3236D4E6E6B1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:peplink:balance_1350:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BF8E6365-21EB-487B-8739-5DC7512CF01B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:peplink:2500_firmware:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA09E6C0-B9D3-4E65-AFC2-A517040B2DE0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:peplink:balance_2500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D5058786-C405-4524-BD0C-0F08CB20C580"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}