Sign-up

ID

VAR-201411-0455


CVE

CVE-2014-8508


TITLE

Denon AVR-3313CI 's_network.asp' Multiple HTML Injection Vulnerabilities

Trust: 0.9

sources: CNVD: CNVD-2014-08115 // BID: 70892

DESCRIPTION

Cross-site scripting (XSS) vulnerability in s_network.asp in the Denon AVR-3313CI audio/video receiver allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to Friendlyname. Authentication is not required to persist the attack. However, user interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within parameters used by s_network.asp which does not properly sanitize user-supplied data. Some parameter values are used on multiple pages and the injected JavaScript will therefore run when any user views any of those pages, including the portal's landing page. The Denon AVR-3313CI is a home theater amplifier. Denon AVR-3313CI 's_network.asp' has multiple HTML injection vulnerabilities because it does not properly filter user-supplied input. Other attacks are also possible

Trust: 3.06

sources: NVD: CVE-2014-8508 // JVNDB: JVNDB-2014-005261 // ZDI: ZDI-14-371 // CNVD: CNVD-2014-08115 // BID: 70892

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-08115

AFFECTED PRODUCTS

vendor:denonmodel:avr-3313ciscope:eqversion: -

Trust: 1.6

vendor:denonmodel:avr-3313ciscope: - version: -

Trust: 1.3

vendor:d m holdingsmodel:avr-3313ciscope: - version: -

Trust: 0.8

sources: ZDI: ZDI-14-371 // CNVD: CNVD-2014-08115 // JVNDB: JVNDB-2014-005261 // CNNVD: CNNVD-201411-071 // NVD: CVE-2014-8508

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8508
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-8508
value: MEDIUM

Trust: 0.8

ZDI: CVE-2014-8508
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2014-08115
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201411-071
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2014-8508
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2014-8508
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2014-08115
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: ZDI: ZDI-14-371 // CNVD: CNVD-2014-08115 // JVNDB: JVNDB-2014-005261 // CNNVD: CNNVD-201411-071 // NVD: CVE-2014-8508

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2014-005261 // NVD: CVE-2014-8508

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-071

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201411-071

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005261

PATCH
title:AVR-3313CIurl:http://www.denon.jp/jp/Product/Pages/Product-Detail.aspx?Catid=9435625a-cc70-40e3-9319-d8e2db09de1f%20&SubId=181cee58-952a-4135-969a-e2d2df6a4622&ProductId=AVR-3313#.VFwzmWf5Qcs
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005261

EXTERNAL IDS
db:NVDid:CVE-2014-8508
Trust: 4.0
db:ZDIid:ZDI-14-371
Trust: 3.1
db:BIDid:70892
Trust: 2.5
db:JVNDBid:JVNDB-2014-005261
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2333
Trust: 0.7
db:CNVDid:CNVD-2014-08115
Trust: 0.6
db:CNNVDid:CNNVD-201411-071
Trust: 0.6
sources:
            
            
            ZDI: ZDI-14-371 // 
            
            
            
            CNVD: CNVD-2014-08115 // 
            
            
            
            BID: 70892 // 
            
            
            
            JVNDB: JVNDB-2014-005261 // 
            
            
            
            CNNVD: CNNVD-201411-071 // 
            
            
            
            NVD: CVE-2014-8508

REFERENCES
url:http://www.zerodayinitiative.com/advisories/zdi-14-371/
Trust: 2.4
url:http://www.securityfocus.com/bid/70892
Trust: 2.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8508
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8508
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2014-08115 // 
            
            
            
            JVNDB: JVNDB-2014-005261 // 
            
            
            
            CNNVD: CNNVD-201411-071 // 
            
            
            
            NVD: CVE-2014-8508

CREDITS
Ricky "HeadlessZeke" Lawshae of HP DVLabs
Trust: 1.6
sources:
            
            
            ZDI: ZDI-14-371 // 
            
            
            
            BID: 70892 // 
            
            
            
            CNNVD: CNNVD-201411-071

SOURCES
db:ZDIid:ZDI-14-371
db:CNVDid:CNVD-2014-08115
db:BIDid:70892
db:JVNDBid:JVNDB-2014-005261
db:CNNVDid:CNNVD-201411-071
db:NVDid:CVE-2014-8508

LAST UPDATE DATE
2025-04-13T23:37:37.761000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-14-371date:2014-11-03T00:00:00
db:CNVDid:CNVD-2014-08115date:2014-11-06T00:00:00
db:BIDid:70892date:2014-11-04T00:00:00
db:JVNDBid:JVNDB-2014-005261date:2014-11-07T00:00:00
db:CNNVDid:CNNVD-201411-071date:2014-11-13T00:00:00
db:NVDid:CVE-2014-8508date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:ZDIid:ZDI-14-371date:2014-11-03T00:00:00
db:CNVDid:CNVD-2014-08115date:2014-11-06T00:00:00
db:BIDid:70892date:2014-11-04T00:00:00
db:JVNDBid:JVNDB-2014-005261date:2014-11-07T00:00:00
db:CNNVDid:CNNVD-201411-071date:2014-11-06T00:00:00
db:NVDid:CVE-2014-8508date:2014-11-06T15:55:10.100