Sign-up

ID

VAR-201401-0503


CVE

CVE-2014-1407


TITLE

Conceptronic C54APM Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2014-00257 // CNNVD: CNNVD-201401-155

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities on the Conceptronic C54APM access point with runtime code 1.26 allow remote attackers to inject arbitrary web script or HTML via (1) the submit-url parameter in a Refresh action to goform/formWlSiteSurvey or (2) the wlan-url parameter to goform/formWlanSetup. (1) goform/formWlSiteSurvey of Refresh action of submit-url Parameters (2) goform/formWlanSetup of wlan-url Parameters. The Conceptronic C54APM is a wireless AP device. A cross-site scripting vulnerability exists in the Conceptronic C54APM device. The \342\200\230wlan-url\342\200\231 parameter was not properly filtered because the goform/formWlSiteSurvey page failed to properly filter the \342\200\230submit-url\342\200\231 parameter in the Refresh operation and the goform/formWlanSetup script. Conceptronic C54APM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Conceptronic C54APM 2.0 running firmware 1.26 is vulnerable; other versions may be affected. Conceptronic C54APM is a wireless access device produced by German Conceptronic Company

Trust: 2.52

sources: NVD: CVE-2014-1407 // JVNDB: JVNDB-2014-001035 // CNVD: CNVD-2014-00257 // BID: 64793 // VULHUB: VHN-69346

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-00257

AFFECTED PRODUCTS

vendor:conceptronicmodel:c54apmscope:eqversion:1.26

Trust: 1.6

vendor:conceptronicmodel:c54apmscope:eqversion:v2

Trust: 1.0

vendor:conceptronicmodel:c54apmscope:eqversion:2.01.26

Trust: 0.9

vendor:conceptronicmodel:c54apmscope:eqversion:runtime code 1.26

Trust: 0.8

sources: CNVD: CNVD-2014-00257 // BID: 64793 // JVNDB: JVNDB-2014-001035 // CNNVD: CNNVD-201401-155 // NVD: CVE-2014-1407

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1407
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1407
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-00257
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201401-155
value: MEDIUM

Trust: 0.6

VULHUB: VHN-69346
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-1407
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-00257
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-69346
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-00257 // VULHUB: VHN-69346 // JVNDB: JVNDB-2014-001035 // CNNVD: CNNVD-201401-155 // NVD: CVE-2014-1407

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-69346 // JVNDB: JVNDB-2014-001035 // NVD: CVE-2014-1407

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-155

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201401-155

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001035

PATCH
title:Conceptronic C54APM Version 2.0 Quick Installation Guideurl:http://download.conceptronic.net/manuals/C04-058_C54APM_v2.0_Quick_Guide_ML.pdf
Trust: 0.8
title:C54APMurl:http://www.conceptronic.net/es/download_list.php?stype=3&productid=341
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-001035

EXTERNAL IDS
db:NVDid:CVE-2014-1407
Trust: 3.4
db:OSVDBid:101919
Trust: 1.1
db:OSVDBid:101921
Trust: 1.1
db:BIDid:64793
Trust: 1.0
db:JVNDBid:JVNDB-2014-001035
Trust: 0.8
db:CNNVDid:CNNVD-201401-155
Trust: 0.7
db:CNVDid:CNVD-2014-00257
Trust: 0.6
db:VULHUBid:VHN-69346
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-00257 // 
            
            
            
            VULHUB: VHN-69346 // 
            
            
            
            BID: 64793 // 
            
            
            
            JVNDB: JVNDB-2014-001035 // 
            
            
            
            CNNVD: CNNVD-201401-155 // 
            
            
            
            NVD: CVE-2014-1407

REFERENCES
url:http://antoniovazquezblanco.github.io/docs/advisories/advisory_c54apm_multiple.pdf
Trust: 3.4
url:http://osvdb.org/101919
Trust: 1.1
url:http://osvdb.org/101921
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1407
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1407
Trust: 0.8
url:http://www.conceptronic.net/es/download_list.php?stype=3&productid=341
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-00257 // 
            
            
            
            VULHUB: VHN-69346 // 
            
            
            
            BID: 64793 // 
            
            
            
            JVNDB: JVNDB-2014-001035 // 
            
            
            
            CNNVD: CNNVD-201401-155 // 
            
            
            
            NVD: CVE-2014-1407

CREDITS
Antonio Vázquez Blanco
Trust: 0.3
sources:
            
            
            BID: 64793

SOURCES
db:CNVDid:CNVD-2014-00257
db:VULHUBid:VHN-69346
db:BIDid:64793
db:JVNDBid:JVNDB-2014-001035
db:CNNVDid:CNNVD-201401-155
db:NVDid:CVE-2014-1407

LAST UPDATE DATE
2025-04-11T23:16:35.493000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-00257date:2014-01-15T00:00:00
db:VULHUBid:VHN-69346date:2015-08-07T00:00:00
db:BIDid:64793date:2014-01-09T00:00:00
db:JVNDBid:JVNDB-2014-001035date:2014-01-15T00:00:00
db:CNNVDid:CNNVD-201401-155date:2014-01-13T00:00:00
db:NVDid:CVE-2014-1407date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-00257date:2014-01-14T00:00:00
db:VULHUBid:VHN-69346date:2014-01-10T00:00:00
db:BIDid:64793date:2014-01-09T00:00:00
db:JVNDBid:JVNDB-2014-001035date:2014-01-15T00:00:00
db:CNNVDid:CNNVD-201401-155date:2014-01-13T00:00:00
db:NVDid:CVE-2014-1407date:2014-01-10T16:47:06.193