Details of VAR-200707-0349

ID

VAR-200707-0349

CVE

CVE-2007-3574

TITLE

Cisco Linksys WAG54GS Wireless-G ADSL Gateway Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2007-004075

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in setup.cgi on the Cisco Linksys WAG54GS Wireless-G ADSL Gateway with 1.00.06 firmware allow remote attackers to inject arbitrary web script or HTML via the (1) c4_trap_ip_, (2) devname, (3) snmp_getcomm, or (4) snmp_setcomm parameter. (1) c4_trap_ip_ Parameters (2) devname Parameters (3) snmp_getcomm Parameters (4) snmp_setcomm Parameters. Attackers may exploit this issue by enticing victims into opening a malicious URI. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials, cause denial-of-service conditions, and launch other attacks. Successful exploits will allow script code to be stored persistently in the affected device. Linksys Wireless-G ADSL Gateway WAG54GS running firmware V1.00.06 is reported vulnerable. Linksys WAG54GS is a wireless ADSL router launched by Cisco. Linksys WAG54GS has an input validation vulnerability when processing user requests. If an attacker visits the router's configuration page and submits a malicious HTTP request, a cross-site scripting attack can be performed. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Linksys WAG54GS Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities SECUNIA ADVISORY ID: SA27738 VERIFY ADVISORY: http://secunia.com/advisories/27738/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Linksys WAG54GS Wireless-G ADSL Gateway with SpeedBooster 1.x http://secunia.com/product/16625/ DESCRIPTION: Adrian Pastor has reported some vulnerabilities in Linksys WAG54GS, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed to the "devname", "snmp_getcomm", "snmp_setcomm", and "c4_trap_ip_" parameters in setup.cgi is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. perform certain administrative actions by enticing a logged-in administrator to visit a malicious site. The vulnerabilities are reported in firmware version 1.00.06. Other versions may also be affected. SOLUTION: Vulnerability #1 has reportedly been fixed in firmware version 1.01.03. Do not browse untrusted websites or follow untrusted links while logged on to the device. PROVIDED AND/OR DISCOVERED BY: Adrian Pastor ORIGINAL ADVISORY: http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2007-3574 // JVNDB: JVNDB-2007-004075 // BID: 24682 // VULHUB: VHN-26936 // PACKETSTORM: 61204

AFFECTED PRODUCTS

vendor:	linksys	model:	wag54gs	scope:	eq	version:	1.00.06	Trust: 1.6
vendor:	cisco linksys	model:	wag54gs	scope:	eq	version:	1.00.06	Trust: 0.8
vendor:	linksys	model:	wireless-g adsl gateway wag54gs	scope:	eq	version:	1.0.6	Trust: 0.3

sources: BID: 24682 // JVNDB: JVNDB-2007-004075 // CNNVD: CNNVD-200707-072 // NVD: CVE-2007-3574

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2007-3574
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2007-3574
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200707-072
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-26936
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2007-3574
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-26936
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-26936 // JVNDB: JVNDB-2007-004075 // CNNVD: CNNVD-200707-072 // NVD: CVE-2007-3574

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-26936 // JVNDB: JVNDB-2007-004075 // NVD: CVE-2007-3574

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200707-072

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-200707-072

CONFIGURATIONS

sources: JVNDB: JVNDB-2007-004075

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-26936

PATCH

title:

Linksys

url:

http://home.cisco.com/en-apac/home

Trust: 0.8

sources: JVNDB: JVNDB-2007-004075

EXTERNAL IDS

db:	NVD	id:	CVE-2007-3574	Trust: 2.8
db:	BID	id:	24682	Trust: 2.0
db:	SECUNIA	id:	27738	Trust: 1.2
db:	OSVDB	id:	40877	Trust: 1.1
db:	OSVDB	id:	40878	Trust: 1.1
db:	JVNDB	id:	JVNDB-2007-004075	Trust: 0.8
db:	BUGTRAQ	id:	20080301 THE ROUTER HACKING CHALLENGE IS OVER!	Trust: 0.6
db:	CNNVD	id:	CNNVD-200707-072	Trust: 0.6
db:	EXPLOIT-DB	id:	30254	Trust: 0.1
db:	SEEBUG	id:	SSVID-83687	Trust: 0.1
db:	VULHUB	id:	VHN-26936	Trust: 0.1
db:	PACKETSTORM	id:	61204	Trust: 0.1

sources: VULHUB: VHN-26936 // BID: 24682 // JVNDB: JVNDB-2007-004075 // PACKETSTORM: 61204 // CNNVD: CNNVD-200707-072 // NVD: CVE-2007-3574

REFERENCES

url:	http://www.securityfocus.com/bid/24682	Trust: 1.7
url:	http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/	Trust: 1.7
url:	http://www.gnucitizen.org/projects/router-hacking-challenge/	Trust: 1.7
url:	http://www.securityfocus.com/data/vulnerabilities/exploits/24682.html	Trust: 1.7
url:	http://secunia.com/advisories/27738/	Trust: 1.2
url:	http://www.securityfocus.com/archive/1/489009/100/0/threaded	Trust: 1.1
url:	http://osvdb.org/40877	Trust: 1.1
url:	http://osvdb.org/40878	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3574	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3574	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded	Trust: 0.6
url:	http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs	Trust: 0.4
url:	http://www.linksys.com	Trust: 0.3
url:	/archive/1/484002	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/16625/	Trust: 0.1
url:	http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-26936 // BID: 24682 // JVNDB: JVNDB-2007-004075 // PACKETSTORM: 61204 // CNNVD: CNNVD-200707-072 // NVD: CVE-2007-3574

CREDITS

Adrian Pastor※ m123303@richmond.ac.uk

Trust: 0.6

sources: CNNVD: CNNVD-200707-072

SOURCES

db:	VULHUB	id:	VHN-26936
db:	BID	id:	24682
db:	JVNDB	id:	JVNDB-2007-004075
db:	PACKETSTORM	id:	61204
db:	CNNVD	id:	CNNVD-200707-072
db:	NVD	id:	CVE-2007-3574

LAST UPDATE DATE

2025-04-10T20:56:56.236000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-26936	date:	2018-10-15T00:00:00
db:	BID	id:	24682	date:	2007-11-21T00:34:00
db:	JVNDB	id:	JVNDB-2007-004075	date:	2012-09-25T00:00:00
db:	CNNVD	id:	CNNVD-200707-072	date:	2007-07-09T00:00:00
db:	NVD	id:	CVE-2007-3574	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-26936	date:	2007-07-05T00:00:00
db:	BID	id:	24682	date:	2007-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2007-004075	date:	2012-09-25T00:00:00
db:	PACKETSTORM	id:	61204	date:	2007-11-27T02:10:48
db:	CNNVD	id:	CNNVD-200707-072	date:	2007-06-27T00:00:00
db:	NVD	id:	CVE-2007-3574	date:	2007-07-05T20:30:00