Sign-up

ID

VAR-201303-0222


CVE

CVE-2013-0126


TITLE

Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery

Trust: 0.8

sources: CERT/CC: VU#278204

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters. The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352). Successful exploits can result in privileged commands running on the affected devices, including enabling remote access to the web administration interface. This may lead to further network-based attacks. Verizon FIOS is a wireless fiber optic broadband router produced by Verizon in the United States

Trust: 2.7

sources: NVD: CVE-2013-0126 // CERT/CC: VU#278204 // JVNDB: JVNDB-2013-001920 // BID: 58553 // VULHUB: VHN-60128

AFFECTED PRODUCTS

vendor:verizonmodel:fios actiontec mi424wr-gen31 routerscope:eqversion:40.19.36

Trust: 1.6

vendor:verizonmodel:fios actiontec mi424wr-gen31 routerscope:eqversion: -

Trust: 1.0

vendor:verizonmodel: - scope: - version: -

Trust: 0.8

vendor:verizonmodel:fios actiontec mi424wr-gen3iscope: - version: -

Trust: 0.8

vendor:verizonmodel:fios actiontec mi424wr-gen3iscope:eqversion:version 40.19.36

Trust: 0.8

sources: CERT/CC: VU#278204 // JVNDB: JVNDB-2013-001920 // CNNVD: CNNVD-201303-353 // NVD: CVE-2013-0126

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2013-0126
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2013-0126
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-201303-353
value: MEDIUM

Trust: 0.6

VULHUB: VHN-60128
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-0126
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2013-0126
severity: MEDIUM
baseScore: 6.8
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-60128
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#278204 // VULHUB: VHN-60128 // JVNDB: JVNDB-2013-001920 // CNNVD: CNNVD-201303-353 // NVD: CVE-2013-0126

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 2.7

sources: CERT/CC: VU#278204 // VULHUB: VHN-60128 // JVNDB: JVNDB-2013-001920 // NVD: CVE-2013-0126

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201303-353

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201303-353

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-001920

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#278204 // 
            
            
            
            VULHUB: VHN-60128

PATCH
title:Top Pageurl:http://www.verizonwireless.com/b2c/index.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-001920

EXTERNAL IDS
db:NVDid:CVE-2013-0126
Trust: 3.6
db:CERT/CCid:VU#278204
Trust: 3.6
db:EXPLOIT-DBid:24860
Trust: 1.7
db:BIDid:58553
Trust: 1.0
db:JVNid:JVNVU92635832
Trust: 0.8
db:JVNDBid:JVNDB-2013-001920
Trust: 0.8
db:CNNVDid:CNNVD-201303-353
Trust: 0.7
db:SECUNIAid:52693
Trust: 0.6
db:SEEBUGid:SSVID-78547
Trust: 0.1
db:PACKETSTORMid:120869
Trust: 0.1
db:VULHUBid:VHN-60128
Trust: 0.1
sources:
            
            
            CERT/CC: VU#278204 // 
            
            
            
            VULHUB: VHN-60128 // 
            
            
            
            BID: 58553 // 
            
            
            
            JVNDB: JVNDB-2013-001920 // 
            
            
            
            CNNVD: CNNVD-201303-353 // 
            
            
            
            NVD: CVE-2013-0126

REFERENCES
url:http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html
Trust: 2.8
url:http://www.kb.cert.org/vuls/id/278204
Trust: 2.8
url:http://www.exploit-db.com/exploits/24860/
Trust: 1.7
url:http://cwe.mitre.org/data/definitions/352.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0126
Trust: 0.8
url:http://jvn.jp/cert/jvnvu92635832/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0126
Trust: 0.8
url:http://www.actiontec.com/products/product.php?pid=41#.uvaphjevoa5
Trust: 0.8
url:http://secunia.com/advisories/52693
Trust: 0.6
url:http://www.securityfocus.com/bid/58553
Trust: 0.6
url:http://www.actiontec.com/products/product.php?pid=189#.uuee-dekxn8
Trust: 0.3
sources:
            
            
            CERT/CC: VU#278204 // 
            
            
            
            VULHUB: VHN-60128 // 
            
            
            
            BID: 58553 // 
            
            
            
            JVNDB: JVNDB-2013-001920 // 
            
            
            
            CNNVD: CNNVD-201303-353 // 
            
            
            
            NVD: CVE-2013-0126

CREDITS
Jacob Holcomb of Independent Security Evaluators
Trust: 0.9
sources:
            
            
            BID: 58553 // 
            
            
            
            CNNVD: CNNVD-201303-353

SOURCES
db:CERT/CCid:VU#278204
db:VULHUBid:VHN-60128
db:BIDid:58553
db:JVNDBid:JVNDB-2013-001920
db:CNNVDid:CNNVD-201303-353
db:NVDid:CVE-2013-0126

LAST UPDATE DATE
2025-04-11T23:14:43.889000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#278204date:2013-12-05T00:00:00
db:VULHUBid:VHN-60128date:2013-10-07T00:00:00
db:BIDid:58553date:2013-03-18T00:00:00
db:JVNDBid:JVNDB-2013-001920date:2013-03-26T00:00:00
db:CNNVDid:CNNVD-201303-353date:2013-03-29T00:00:00
db:NVDid:CVE-2013-0126date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CERT/CCid:VU#278204date:2013-03-18T00:00:00
db:VULHUBid:VHN-60128date:2013-03-21T00:00:00
db:BIDid:58553date:2013-03-18T00:00:00
db:JVNDBid:JVNDB-2013-001920date:2013-03-21T00:00:00
db:CNNVDid:CNNVD-201303-353date:2013-03-19T00:00:00
db:NVDid:CVE-2013-0126date:2013-03-21T20:55:01.910