Details of VAR-201303-0238

ID

VAR-201303-0238

CVE

CVE-2013-0717

TITLE

Multiple NEC mobile routers vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2013-000024

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in the web-based management utility on the NEC AtermWR9500N, AtermWR8600N, AtermWR8370N, AtermWR8160N, AtermWM3600R, and AtermWM3450RN routers allow remote attackers to hijack the authentication of administrators for requests that (1) initialize settings or (2) reboot the device. Sen UENO of Tricorder Co. Ltd., Hiroshi Kumagai and Kimura Youichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, settings of the product may be initialized, or the product may be rebooted. NEC aterm is a number of wireless routing devices. Because the application allows users to perform certain operations through HTTP requests without performing any validity check, the attacker can exploit the vulnerability to perform specific operations when the logged-in administrator accesses a malicious website. action. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks

Trust: 2.43

sources: NVD: CVE-2013-0717 // JVNDB: JVNDB-2013-000024 // CNVD: CNVD-2013-01929 // BID: 58625

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-01929

AFFECTED PRODUCTS

vendor:	nec	model:	atermwm3600r	scope:	eq	version:	-	Trust: 1.6
vendor:	nec	model:	atermwr8160n	scope:	eq	version:	-	Trust: 1.6
vendor:	nec	model:	atermwr9500n	scope:	eq	version:	-	Trust: 1.6
vendor:	nec	model:	atermwr8370n	scope:	eq	version:	-	Trust: 1.6
vendor:	nec	model:	atermwr8600n	scope:	eq	version:	-	Trust: 1.6
vendor:	nec	model:	atermwm3450rn	scope:	eq	version:	-	Trust: 1.6
vendor:	nec	model:	aterm wm3450rn	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	aterm wm3600r	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	aterm wr8160n	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	aterm wr8170n	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	aterm wr8370n	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	aterm wr8600n	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	aterm wr8700n	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	aterm wr9500n	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	atermwr9500n router	scope:	-	version:	-	Trust: 0.6
vendor:	nec	model:	atermwr8600n router	scope:	-	version:	-	Trust: 0.6
vendor:	nec	model:	atermwr8370n router	scope:	-	version:	-	Trust: 0.6
vendor:	nec	model:	atermwr8160n router	scope:	-	version:	-	Trust: 0.6
vendor:	nec	model:	atermwm3600r router	scope:	-	version:	-	Trust: 0.6
vendor:	nec	model:	atermwm3450rn router	scope:	-	version:	-	Trust: 0.6
vendor:	nec	model:	atermwr9500n	scope:	eq	version:	0	Trust: 0.3
vendor:	nec	model:	atermwr8600n	scope:	eq	version:	0	Trust: 0.3
vendor:	nec	model:	atermwr8370n	scope:	eq	version:	0	Trust: 0.3
vendor:	nec	model:	atermwr8160n	scope:	eq	version:	0	Trust: 0.3
vendor:	nec	model:	atermwm3600r	scope:	eq	version:	0	Trust: 0.3
vendor:	nec	model:	atermwm3450rn	scope:	eq	version:	0	Trust: 0.3
vendor:	nec	model:	atermwr9300n	scope:	ne	version:	0	Trust: 0.3
vendor:	nec	model:	atermwr8750n	scope:	ne	version:	0	Trust: 0.3
vendor:	nec	model:	atermwr8175n	scope:	ne	version:	0	Trust: 0.3
vendor:	nec	model:	atermwm3800r	scope:	ne	version:	0	Trust: 0.3

sources: CNVD: CNVD-2013-01929 // BID: 58625 // JVNDB: JVNDB-2013-000024 // CNNVD: CNNVD-201303-390 // NVD: CVE-2013-0717

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-0717
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2013-000024
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-01929
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201303-390
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2013-0717
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IPA:	JVNDB-2013-000024
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2013-01929
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2013-01929 // JVNDB: JVNDB-2013-000024 // CNNVD: CNNVD-201303-390 // NVD: CVE-2013-0717

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2013-000024 // NVD: CVE-2013-0717

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201303-390

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201303-390

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-000024

PATCH

title:	NV13-005	url:	http://jpn.nec.com/security-info/secinfo/nv13-005.html	Trust: 0.8
title:	NEC multiple aterm router cross-site request forgery vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/32961	Trust: 0.6

sources: CNVD: CNVD-2013-01929 // JVNDB: JVNDB-2013-000024

EXTERNAL IDS

db:	JVNDB	id:	JVNDB-2013-000024	Trust: 3.3
db:	NVD	id:	CVE-2013-0717	Trust: 3.3
db:	JVN	id:	JVN59503133	Trust: 2.7
db:	SECUNIA	id:	52666	Trust: 1.2
db:	CNVD	id:	CNVD-2013-01929	Trust: 0.6
db:	JVN	id:	JVN#59503133	Trust: 0.6
db:	CNNVD	id:	CNNVD-201303-390	Trust: 0.6
db:	BID	id:	58625	Trust: 0.3

sources: CNVD: CNVD-2013-01929 // BID: 58625 // JVNDB: JVNDB-2013-000024 // CNNVD: CNNVD-201303-390 // NVD: CVE-2013-0717

REFERENCES

url:	http://jvn.jp/en/jp/jvn59503133/index.html	Trust: 2.7
url:	http://jpn.nec.com/security-info/secinfo/nv13-005.html	Trust: 1.9
url:	http://jvndb.jvn.jp/jvndb/jvndb-2013-000024	Trust: 1.6
url:	http://jvn.jp/en/jp/jvn59503133/6443/index.html	Trust: 1.6
url:	http://jvndb.jvn.jp/en/contents/2013/jvndb-2013-000024.html	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0717	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0717	Trust: 0.8
url:	http://secunia.com/advisories/52666/	Trust: 0.6
url:	http://secunia.com/advisories/52666	Trust: 0.6
url:	http://jpn.nec.com/index.html	Trust: 0.3

sources: CNVD: CNVD-2013-01929 // BID: 58625 // JVNDB: JVNDB-2013-000024 // CNNVD: CNNVD-201303-390 // NVD: CVE-2013-0717

CREDITS

Sen UENO of Tricorder Co. Ltd, Hiroshi Kumagai and Kimura Youichi

Trust: 0.3

sources: BID: 58625

SOURCES

db:	CNVD	id:	CNVD-2013-01929
db:	BID	id:	58625
db:	JVNDB	id:	JVNDB-2013-000024
db:	CNNVD	id:	CNNVD-201303-390
db:	NVD	id:	CVE-2013-0717

LAST UPDATE DATE

2025-04-11T22:53:22.432000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-01929	date:	2013-03-21T00:00:00
db:	BID	id:	58625	date:	2013-03-19T00:00:00
db:	JVNDB	id:	JVNDB-2013-000024	date:	2013-06-25T00:00:00
db:	CNNVD	id:	CNNVD-201303-390	date:	2013-03-20T00:00:00
db:	NVD	id:	CVE-2013-0717	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-01929	date:	2013-03-21T00:00:00
db:	BID	id:	58625	date:	2013-03-19T00:00:00
db:	JVNDB	id:	JVNDB-2013-000024	date:	2013-03-19T00:00:00
db:	CNNVD	id:	CNNVD-201303-390	date:	2013-03-20T00:00:00
db:	NVD	id:	CVE-2013-0717	date:	2013-03-19T18:55:03.347