Sign-up

ID

VAR-201601-0401


CVE

CVE-2016-1136


TITLE

HOME SPOT CUBE vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-000007

DESCRIPTION

Cross-site scripting (XSS) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary script may be executed on user's web browser. KDDI Home Spot Cube is prone to the following security vulnerabilities: Cross-site scripting - CVE-2016-1136 Open redirect - CVE-2016-1137 HTTP header injection - CVE-2016-1138 Cross-site request forgery - CVE-2016-1139 Click jacking - CVE-2016-1140 OS command injection - CVE-2016-1141 Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, or conduct phishing attacks, or inject arbitrary HTTP headers, or execute arbitrary OS commands in context of the affected application,or allow attackers to gain unauthorized access to the affected application or obtain sensitive information, and to to perform certain unauthorized actions

Trust: 2.52

sources: NVD: CVE-2016-1136 // JVNDB: JVNDB-2016-000007 // CNVD: CNVD-2016-00845 // BID: 81982 // VULHUB: VHN-89955

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-00845

AFFECTED PRODUCTS

vendor:kddimodel:home spot cubescope:eqversion:2.0

Trust: 1.6

vendor:kddimodel:home spot cubescope: - version: -

Trust: 0.8

vendor:kddimodel:home spot cube devicesscope:ltversion:2

Trust: 0.6

vendor:kddimodel:home spot cubescope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2016-00845 // BID: 81982 // JVNDB: JVNDB-2016-000007 // CNNVD: CNNVD-201601-689 // NVD: CVE-2016-1136

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1136
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2016-000007
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-00845
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201601-689
value: LOW

Trust: 0.6

VULHUB: VHN-89955
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2016-1136
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2016-000007
severity: LOW
baseScore: 2.7
vectorString: AV:A/AC:L/AU:S/C:N/I:P/A:N
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2016-00845
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-89955
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1136
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.0

IPA: JVNDB-2016-000007
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2016-00845 // VULHUB: VHN-89955 // JVNDB: JVNDB-2016-000007 // CNNVD: CNNVD-201601-689 // NVD: CVE-2016-1136

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-89955 // JVNDB: JVNDB-2016-000007 // NVD: CVE-2016-1136

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-689

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201601-689

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-000007

PATCH
title:Notes on use of HOME SPOT CUBEurl:http://www.au.kddi.com/mobile/service/smartphone/wifi/homespot/#anc06
Trust: 0.8
title:Patch for KDDIHOMESPOTCUBEdevices cross-site scripting vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/71198
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-00845 // 
            
            
            
            JVNDB: JVNDB-2016-000007

EXTERNAL IDS
db:NVDid:CVE-2016-1136
Trust: 3.4
db:JVNid:JVN54686544
Trust: 2.8
db:JVNDBid:JVNDB-2016-000007
Trust: 2.5
db:BIDid:81982
Trust: 0.9
db:CNNVDid:CNNVD-201601-689
Trust: 0.7
db:CNVDid:CNVD-2016-00845
Trust: 0.6
db:VULHUBid:VHN-89955
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-00845 // 
            
            
            
            VULHUB: VHN-89955 // 
            
            
            
            BID: 81982 // 
            
            
            
            JVNDB: JVNDB-2016-000007 // 
            
            
            
            CNNVD: CNNVD-201601-689 // 
            
            
            
            NVD: CVE-2016-1136

REFERENCES
url:http://jvn.jp/en/jp/jvn54686544/index.html
Trust: 2.8
url:http://www.au.kddi.com/mobile/service/smartphone/wifi/homespot/#anc06
Trust: 2.0
url:http://jvndb.jvn.jp/jvndb/jvndb-2016-000007
Trust: 1.7
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1136
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1136
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2016-00845 // 
            
            
            
            VULHUB: VHN-89955 // 
            
            
            
            BID: 81982 // 
            
            
            
            JVNDB: JVNDB-2016-000007 // 
            
            
            
            CNNVD: CNNVD-201601-689 // 
            
            
            
            NVD: CVE-2016-1136

CREDITS
Masaki Yoshikawa
Trust: 0.3
sources:
            
            
            BID: 81982

SOURCES
db:CNVDid:CNVD-2016-00845
db:VULHUBid:VHN-89955
db:BIDid:81982
db:JVNDBid:JVNDB-2016-000007
db:CNNVDid:CNNVD-201601-689
db:NVDid:CVE-2016-1136

LAST UPDATE DATE
2025-04-13T23:23:41.804000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-00845date:2016-02-14T00:00:00
db:VULHUBid:VHN-89955date:2016-02-10T00:00:00
db:BIDid:81982date:2016-01-27T00:00:00
db:JVNDBid:JVNDB-2016-000007date:2016-02-16T00:00:00
db:CNNVDid:CNNVD-201601-689date:2016-02-01T00:00:00
db:NVDid:CVE-2016-1136date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-00845date:2016-02-14T00:00:00
db:VULHUBid:VHN-89955date:2016-01-30T00:00:00
db:BIDid:81982date:2016-01-27T00:00:00
db:JVNDBid:JVNDB-2016-000007date:2016-01-27T00:00:00
db:CNNVDid:CNNVD-201601-689date:2016-01-30T00:00:00
db:NVDid:CVE-2016-1136date:2016-01-30T15:59:01.093