CVE-2014-2045 in Multichannel VPN Router 300info

Summary

by MITRE

Multiple cross-site scripting (XSS) vulnerabilities in the old and new interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the username when (1) logging in or (2) creating an account in the old interface, (3) username when creating an account in the new interface, (4) hostname in the old interface, (5) inspect parameter in the config module, (6) commands parameter in the atcommands tool, or (7) host parameter in the ping tool.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/14/2026

The vulnerability described in CVE-2014-2045 represents a critical cross-site scripting flaw affecting the Viprinet Multichannel VPN Router 300 device. This vulnerability manifests across multiple interfaces and functional components of the router's web-based management system, creating an extensive attack surface that could be exploited by remote threat actors. The affected interfaces include both legacy 'old' and newer 'new' management portals, indicating that the security flaw is deeply embedded within the router's web application architecture rather than being a superficial issue.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the router's web interface components. When users interact with the authentication and account creation processes through either interface, the system fails to properly sanitize user-supplied data before incorporating it into web responses. This allows attackers to inject malicious javascript code or html elements that will execute in the context of other users' browsers who view the affected pages. The vulnerability specifically targets parameters including username fields during login and account creation, hostname values in the old interface, inspect parameters within the config module, atcommands tool commands, and ping tool host parameters, demonstrating that the flaw affects various data entry points throughout the router's management functionality.

The operational impact of this vulnerability is significant as it enables remote code execution through browser-based attacks without requiring authentication to the router itself. An attacker could craft malicious requests that, when viewed by administrators or other legitimate users, would execute arbitrary scripts in their browsers and potentially compromise the security of the entire network. The attack vector is particularly dangerous because it can be initiated through multiple pathways including account creation, configuration management, and network diagnostic tools, making it difficult to defend against completely. This vulnerability directly relates to CWE-79 which defines cross-site scripting flaws as the injection of malicious code into web applications, and aligns with ATT&CK technique T1566.001 for spearphishing with a link, as the malicious payloads could be delivered through crafted web requests that appear legitimate to users.

Mitigation strategies should focus on implementing comprehensive input validation and output encoding across all user-supplied parameters within the router's web interfaces. The device firmware should be updated to properly sanitize all input fields before rendering them in web responses, with particular attention to the identified vulnerable parameters including username, hostname, inspect, commands, and host fields. Network administrators should also implement network segmentation and access controls to limit exposure, while monitoring for suspicious web traffic patterns that might indicate exploitation attempts. Regular security assessments of network device web interfaces should be conducted to identify similar vulnerabilities, and the router should be configured to use secure communication protocols when available to prevent man-in-the-middle attacks that could facilitate exploitation of this vulnerability.

Reservation

02/19/2014

Disclosure

01/20/2017

Moderation

accepted

Entry

VDB-95749

CPE

ready

Exploit

Download

EPSS

0.04529

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!