Netgear SRX5308 до 4.3.5-3 Web Management Interface platform.cgi dhcp.SecDnsIPByte2 межсайтовый скриптинг

Уязвимость, классифицированная как проблемные, была найдена в Netgear SRX5308 до 4.3.5-3. Затронута неизвестная функция файла scgi-bin/platform.cgi?page=dmz_setup.htm компонента Web Management Interface. Использование CWE для объявления проблемы приводит к тому, что CWE-79. Консультация доступна по адресу github.com. Эта уязвимость была названа CVE-2023-2384. Атаку можно инициировать удаленно. Имеются технические подробности. Более того, существует эксплойт. Эксплойт был раскрыт общественности и может быть использован. Текущая цена за эксплойт может составлять около USD $0-$5k в настоящее время. Этой уязвимости присвоен номер T1059.007 проектом MITRE ATT&CK. Объявляется proof-of-concept. Эксплойт можно загрузить по адресу github.com. В 0-дневный период предполагаемая подземная цена составляла около $5k-$25k.

Поле	28.04.2023 13:55	21.05.2023 17:29	21.05.2023 17:36
vendor	Netgear	Netgear	Netgear
name	SRX5308	SRX5308	SRX5308
version	<=4.3.5-3	<=4.3.5-3	<=4.3.5-3
component	Web Management Interface	Web Management Interface	Web Management Interface
file	scgi-bin/platform.cgi?page=dmz_setup.htm	scgi-bin/platform.cgi?page=dmz_setup.htm	scgi-bin/platform.cgi?page=dmz_setup.htm
argument	dhcp.SecDnsIPByte2	dhcp.SecDnsIPByte2	dhcp.SecDnsIPByte2
cwe	79 (межсайтовый скриптинг)	79 (межсайтовый скриптинг)	79 (межсайтовый скриптинг)
risk	1	1	1
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_pr	H	H	H
cvss3_vuldb_ui	R	R	R
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	N	N	N
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	N	N	N
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rc	R	R	R
url	https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/3	https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/3	https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/3
availability	1	1	1
publicity	1	1	1
url	https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/3	https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/3	https://github.com/leetsun/IoT/tree/main/Netgear-SRX5308/3
cve	CVE-2023-2384	CVE-2023-2384	CVE-2023-2384
responsible	VulDB	VulDB	VulDB
response_summary	The vendor was contacted early about this disclosure but did not respond in any way.	The vendor was contacted early about this disclosure but did not respond in any way.	The vendor was contacted early about this disclosure but did not respond in any way.
date	1682632800 (28.04.2023)	1682632800 (28.04.2023)	1682632800 (28.04.2023)
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_au	M	M	M
cvss2_vuldb_ci	N	N	N
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	N	N	N
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rc	UR	UR	UR
cvss2_vuldb_rl	ND	ND	ND
cvss3_vuldb_rl	X	X	X
cvss2_vuldb_basescore	3.3	3.3	3.3
cvss2_vuldb_tempscore	2.8	2.8	2.8
cvss3_vuldb_basescore	2.4	2.4	2.4
cvss3_vuldb_tempscore	2.2	2.2	2.2
cvss3_meta_basescore	2.4	2.4	3.2
cvss3_meta_tempscore	2.2	2.2	3.1
price_0day	$5k-$25k	$5k-$25k	$5k-$25k
cve_assigned		1682632800 (28.04.2023)	1682632800 (28.04.2023)
cve_nvd_summary		A vulnerability was found in Netgear SRX5308 up to 4.3.5-3. It has been declared as problematic. This vulnerability affects unknown code of the file scgi-bin/platform.cgi?page=dmz_setup.htm of the component Web Management Interface. The manipulation of the argument dhcp.SecDnsIPByte2 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227662 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	A vulnerability was found in Netgear SRX5308 up to 4.3.5-3. It has been declared as problematic. This vulnerability affects unknown code of the file scgi-bin/platform.cgi?page=dmz_setup.htm of the component Web Management Interface. The manipulation of the argument dhcp.SecDnsIPByte2 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227662 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			H
cvss3_nvd_ui			R
cvss3_nvd_s			C
cvss3_nvd_c			L
cvss3_nvd_i			L
cvss3_nvd_a			N
cvss2_nvd_av			N
cvss2_nvd_ac			L
cvss2_nvd_au			M
cvss2_nvd_ci			N
cvss2_nvd_ii			P
cvss2_nvd_ai			N
cvss3_cna_av			N
cvss3_cna_ac			L
cvss3_cna_pr			H
cvss3_cna_ui			R
cvss3_cna_s			U
cvss3_cna_c			N
cvss3_cna_i			L
cvss3_cna_a			N
cve_cna			VulDB
cvss2_nvd_basescore			3.3
cvss3_nvd_basescore			4.8
cvss3_cna_basescore			2.4

◂ Предыдущий Обзор Далее ▸

Might our Artificial Intelligence support you?

Check our Alexa App!