Sign-up

ID

VAR-201311-0382


CVE

CVE-2013-6852


TITLE

HP 2620 switch 'html/json.html' Cross-Site Request Forgery Vulnerability

Trust: 0.8

sources: IVD: 75f07120-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14669

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in html/json.html on HP 2620 switches allows remote attackers to hijack the authentication of administrators for requests that change an administrative password via the setPassword method. The HP 2620 switches are switch devices developed by HP. HP 2620 switch series are prone to a cross-site request-forgery vulnerability because it fails to properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain unauthorized administrative actions. Other attacks are also possible. This series of switches supports IPV4/IPv6 static and RIP routing functions

Trust: 2.7

sources: NVD: CVE-2013-6852 // JVNDB: JVNDB-2013-005227 // CNVD: CNVD-2013-14669 // BID: 63690 // IVD: 75f07120-2352-11e6-abef-000c29c66e3d // VULHUB: VHN-66854

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 75f07120-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14669

AFFECTED PRODUCTS

vendor:hpmodel:2620-24-poe\+ switchscope:eqversion: -

Trust: 1.6

vendor:hewlett packardmodel:hp 2620-24-poe+ switchscope: - version: -

Trust: 0.8

vendor:hpmodel:switchesscope:eqversion:2620

Trust: 0.6

vendor:2620 24 poe switchmodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: 75f07120-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14669 // JVNDB: JVNDB-2013-005227 // CNNVD: CNNVD-201311-339 // NVD: CVE-2013-6852

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6852
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-6852
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-14669
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201311-339
value: MEDIUM

Trust: 0.6

IVD: 75f07120-2352-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-66854
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-6852
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-14669
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 75f07120-2352-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-66854
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 75f07120-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14669 // VULHUB: VHN-66854 // JVNDB: JVNDB-2013-005227 // CNNVD: CNNVD-201311-339 // NVD: CVE-2013-6852

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-66854 // JVNDB: JVNDB-2013-005227 // NVD: CVE-2013-6852

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-339

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201311-339

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005227

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-66854

PATCH
title:HP 2620 Switch Seriesurl:http://www8.hp.com/jp/ja/products/networking-switches/product-detail.html?oid=5171622#!tab=features
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-005227

EXTERNAL IDS
db:NVDid:CVE-2013-6852
Trust: 3.6
db:EXPLOIT-DBid:28562
Trust: 3.1
db:BIDid:63690
Trust: 1.0
db:CNNVDid:CNNVD-201311-339
Trust: 0.9
db:CNVDid:CNVD-2013-14669
Trust: 0.8
db:JVNDBid:JVNDB-2013-005227
Trust: 0.8
db:IVDid:75F07120-2352-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:SEEBUGid:SSVID-82120
Trust: 0.1
db:VULHUBid:VHN-66854
Trust: 0.1
sources:
            
            
            IVD: 75f07120-2352-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-14669 // 
            
            
            
            VULHUB: VHN-66854 // 
            
            
            
            BID: 63690 // 
            
            
            
            JVNDB: JVNDB-2013-005227 // 
            
            
            
            CNNVD: CNNVD-201311-339 // 
            
            
            
            NVD: CVE-2013-6852

REFERENCES
url:http://www.exploit-db.com/exploits/28562/
Trust: 3.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6852
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6852
Trust: 0.8
url:http://www.hp.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-14669 // 
            
            
            
            VULHUB: VHN-66854 // 
            
            
            
            BID: 63690 // 
            
            
            
            JVNDB: JVNDB-2013-005227 // 
            
            
            
            CNNVD: CNNVD-201311-339 // 
            
            
            
            NVD: CVE-2013-6852

CREDITS
Hubert Gradek
Trust: 0.3
sources:
            
            
            BID: 63690

SOURCES
db:IVDid:75f07120-2352-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-14669
db:VULHUBid:VHN-66854
db:BIDid:63690
db:JVNDBid:JVNDB-2013-005227
db:CNNVDid:CNNVD-201311-339
db:NVDid:CVE-2013-6852

LAST UPDATE DATE
2025-04-11T23:19:27.147000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-14669date:2013-11-25T00:00:00
db:VULHUBid:VHN-66854date:2013-11-22T00:00:00
db:BIDid:63690date:2013-11-25T00:54:00
db:JVNDBid:JVNDB-2013-005227date:2013-11-25T00:00:00
db:CNNVDid:CNNVD-201311-339date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6852date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:IVDid:75f07120-2352-11e6-abef-000c29c66e3ddate:2013-11-25T00:00:00
db:CNVDid:CNVD-2013-14669date:2013-11-25T00:00:00
db:VULHUBid:VHN-66854date:2013-11-22T00:00:00
db:BIDid:63690date:2013-09-26T00:00:00
db:JVNDBid:JVNDB-2013-005227date:2013-11-25T00:00:00
db:CNNVDid:CNNVD-201311-339date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6852date:2013-11-22T01:55:04.137