Sign-up

ID

VAR-201410-1356


CVE

CVE-2014-7277


TITLE

ZyXEL SBG-3300 Security Gateway Firmware login page cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-004529

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the login page on the ZyXEL SBG-3300 Security Gateway with firmware 1.00(AADY.4)C0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified "welcome message" form data that is improperly handled during rendering of the loginMessage list item, a different vulnerability than CVE-2014-7278. The ZyXEL SBG-3300 Security Gateway is a security gateway application. Zyxel SBG-3300 series routers are prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. Zyxel SBG-3300 V1.00(AADY.4)C0 and prior are vulnerable

Trust: 2.52

sources: NVD: CVE-2014-7277 // JVNDB: JVNDB-2014-004529 // CNVD: CNVD-2014-06641 // BID: 70232 // VULHUB: VHN-75222

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-06641

AFFECTED PRODUCTS

vendor:zyxelmodel:sbg3300-nscope:eqversion: -

Trust: 1.0

vendor:zyxelmodel:sbg3300-nscope:lteversion:1.00\(aady.4\)c0

Trust: 1.0

vendor:zyxelmodel:sbg3300-n seriesscope: - version: -

Trust: 0.8

vendor:zyxelmodel:sbg3300-n seriesscope:lteversion:1.00(aady.4)c0

Trust: 0.8

vendor:zyxelmodel:sbg-3300 <=v1.00 c0scope: - version: -

Trust: 0.6

vendor:zyxelmodel:sbg3300-nscope:eqversion:1.00\(aady.4\)c0

Trust: 0.6

vendor:zyxelmodel:sbg-3300 v1.00 c0scope: - version: -

Trust: 0.3

sources: CNVD: CNVD-2014-06641 // BID: 70232 // JVNDB: JVNDB-2014-004529 // CNNVD: CNNVD-201410-105 // NVD: CVE-2014-7277

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-7277
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-7277
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-06641
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201410-105
value: MEDIUM

Trust: 0.6

VULHUB: VHN-75222
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-7277
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-06641
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-75222
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-06641 // VULHUB: VHN-75222 // JVNDB: JVNDB-2014-004529 // CNNVD: CNNVD-201410-105 // NVD: CVE-2014-7277

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-75222 // JVNDB: JVNDB-2014-004529 // NVD: CVE-2014-7277

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-105

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-105

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-004529

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-75222

PATCH
title:SBG3300-N Seriesurl:http://www.zyxel.com/be/fr/products_services/sbg3300_n_series.shtml?t=p
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-004529

EXTERNAL IDS
db:NVDid:CVE-2014-7277
Trust: 3.4
db:BIDid:70232
Trust: 2.0
db:PACKETSTORMid:128551
Trust: 1.1
db:JVNDBid:JVNDB-2014-004529
Trust: 0.8
db:CNNVDid:CNNVD-201410-105
Trust: 0.7
db:CNVDid:CNVD-2014-06641
Trust: 0.6
db:VULHUBid:VHN-75222
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-06641 // 
            
            
            
            VULHUB: VHN-75222 // 
            
            
            
            BID: 70232 // 
            
            
            
            JVNDB: JVNDB-2014-004529 // 
            
            
            
            CNNVD: CNNVD-201410-105 // 
            
            
            
            NVD: CVE-2014-7277

REFERENCES
url:http://archives.neohapsis.com/archives/bugtraq/2014-10/0024.html
Trust: 3.1
url:http://seclists.org/fulldisclosure/2014/oct/19
Trust: 1.4
url:http://www.securityfocus.com/bid/70232
Trust: 1.1
url:http://packetstormsecurity.com/files/128551/zyxel-sbg-3300-security-gateway-cross-site-scripting.html
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/96891
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7277
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7277
Trust: 0.8
url:http://www.zyxel.com/in/en/products_services/sbg3300_n_series.shtml?t=p
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-06641 // 
            
            
            
            VULHUB: VHN-75222 // 
            
            
            
            BID: 70232 // 
            
            
            
            JVNDB: JVNDB-2014-004529 // 
            
            
            
            CNNVD: CNNVD-201410-105 // 
            
            
            
            NVD: CVE-2014-7277

CREDITS
Mirko Casadei
Trust: 0.3
sources:
            
            
            BID: 70232

SOURCES
db:CNVDid:CNVD-2014-06641
db:VULHUBid:VHN-75222
db:BIDid:70232
db:JVNDBid:JVNDB-2014-004529
db:CNNVDid:CNNVD-201410-105
db:NVDid:CVE-2014-7277

LAST UPDATE DATE
2025-04-13T23:04:46.498000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-06641date:2014-10-11T00:00:00
db:VULHUBid:VHN-75222date:2017-09-08T00:00:00
db:BIDid:70232date:2014-10-03T00:00:00
db:JVNDBid:JVNDB-2014-004529date:2014-10-07T00:00:00
db:CNNVDid:CNNVD-201410-105date:2014-10-11T00:00:00
db:NVDid:CVE-2014-7277date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-06641date:2014-10-11T00:00:00
db:VULHUBid:VHN-75222date:2014-10-04T00:00:00
db:BIDid:70232date:2014-10-03T00:00:00
db:JVNDBid:JVNDB-2014-004529date:2014-10-07T00:00:00
db:CNNVDid:CNNVD-201410-105date:2014-10-11T00:00:00
db:NVDid:CVE-2014-7277date:2014-10-04T10:55:03.833