Sign-up

ID

VAR-201601-0405


CVE

CVE-2016-1140


TITLE

HOME SPOT CUBE vulnerable to clickjacking

Trust: 0.8

sources: JVNDB: JVNDB-2016-000011

DESCRIPTION

KDDI HOME SPOT CUBE devices before 2 allow remote attackers to conduct clickjacking attacks via unspecified vectors. HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary administrative operation such as setting alteration may be executed. A security vulnerability exists in previous versions of KDDIHOMESPOTCUBE2. A remote attacker can exploit this vulnerability to execute arbitrary OS commands. KDDI Home Spot Cube is prone to the following security vulnerabilities: Cross-site scripting - CVE-2016-1136 Open redirect - CVE-2016-1137 HTTP header injection - CVE-2016-1138 Cross-site request forgery - CVE-2016-1139 Click jacking - CVE-2016-1140 OS command injection - CVE-2016-1141 Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, or conduct phishing attacks, or inject arbitrary HTTP headers, or execute arbitrary OS commands in context of the affected application,or allow attackers to gain unauthorized access to the affected application or obtain sensitive information, and to to perform certain unauthorized actions

Trust: 3.06

sources: NVD: CVE-2016-1140 // JVNDB: JVNDB-2016-000011 // CNVD: CNVD-2016-00911 // CNVD: CNVD-2016-00912 // BID: 81982 // VULHUB: VHN-89959

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 1.2

sources: CNVD: CNVD-2016-00911 // CNVD: CNVD-2016-00912

AFFECTED PRODUCTS

vendor:kddimodel:home spot cubescope:eqversion:2.0

Trust: 1.6

vendor:kddimodel:home spot cube devicesscope:ltversion:2

Trust: 1.2

vendor:kddimodel:home spot cubescope: - version: -

Trust: 0.8

vendor:kddimodel:home spot cubescope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2016-00911 // CNVD: CNVD-2016-00912 // BID: 81982 // JVNDB: JVNDB-2016-000011 // CNNVD: CNNVD-201601-693 // NVD: CVE-2016-1140

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1140
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2016-000011
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-00911
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2016-00912
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201601-693
value: MEDIUM

Trust: 0.6

VULHUB: VHN-89959
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-1140
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2016-000011
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2016-00911
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2016-00912
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-89959
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1140
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

IPA: JVNDB-2016-000011
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2016-00911 // CNVD: CNVD-2016-00912 // VULHUB: VHN-89959 // JVNDB: JVNDB-2016-000011 // CNNVD: CNNVD-201601-693 // NVD: CVE-2016-1140

PROBLEMTYPE DATA

problemtype:CWE-254

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-89959 // JVNDB: JVNDB-2016-000011 // NVD: CVE-2016-1140

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-693

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201601-693

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-000011

PATCH
title:Notes on use of HOME SPOT CUBEurl:http://www.au.kddi.com/mobile/service/smartphone/wifi/homespot/#anc06
Trust: 0.8
title:KDDIHOMESPOTCUBEdevices has an unspecified vulnerability (CNVD-2016-00911) patchurl:https://www.cnvd.org.cn/patchInfo/show/71235
Trust: 0.6
title:KDDIHOMESPOTCUBEdevices has an unexplained patchurl:https://www.cnvd.org.cn/patchInfo/show/71234
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-00911 // 
            
            
            
            CNVD: CNVD-2016-00912 // 
            
            
            
            JVNDB: JVNDB-2016-000011

EXTERNAL IDS
db:NVDid:CVE-2016-1140
Trust: 4.0
db:JVNid:JVN54686544
Trust: 2.8
db:JVNDBid:JVNDB-2016-000011
Trust: 2.5
db:BIDid:81982
Trust: 1.5
db:CNNVDid:CNNVD-201601-693
Trust: 0.7
db:CNVDid:CNVD-2016-00911
Trust: 0.6
db:CNVDid:CNVD-2016-00912
Trust: 0.6
db:VULHUBid:VHN-89959
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-00911 // 
            
            
            
            CNVD: CNVD-2016-00912 // 
            
            
            
            VULHUB: VHN-89959 // 
            
            
            
            BID: 81982 // 
            
            
            
            JVNDB: JVNDB-2016-000011 // 
            
            
            
            CNNVD: CNNVD-201601-693 // 
            
            
            
            NVD: CVE-2016-1140

REFERENCES
url:http://jvn.jp/en/jp/jvn54686544/index.html
Trust: 2.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1140
Trust: 2.0
url:http://www.au.kddi.com/mobile/service/smartphone/wifi/homespot/#anc06
Trust: 2.0
url:http://jvndb.jvn.jp/jvndb/jvndb-2016-000011
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1140
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2016-00911 // 
            
            
            
            CNVD: CNVD-2016-00912 // 
            
            
            
            VULHUB: VHN-89959 // 
            
            
            
            BID: 81982 // 
            
            
            
            JVNDB: JVNDB-2016-000011 // 
            
            
            
            CNNVD: CNNVD-201601-693 // 
            
            
            
            NVD: CVE-2016-1140

CREDITS
Masaki Yoshikawa
Trust: 0.3
sources:
            
            
            BID: 81982

SOURCES
db:CNVDid:CNVD-2016-00911
db:CNVDid:CNVD-2016-00912
db:VULHUBid:VHN-89959
db:BIDid:81982
db:JVNDBid:JVNDB-2016-000011
db:CNNVDid:CNNVD-201601-693
db:NVDid:CVE-2016-1140

LAST UPDATE DATE
2025-04-13T23:23:41.694000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-00911date:2016-02-15T00:00:00
db:CNVDid:CNVD-2016-00912date:2016-02-15T00:00:00
db:VULHUBid:VHN-89959date:2016-02-10T00:00:00
db:BIDid:81982date:2016-01-27T00:00:00
db:JVNDBid:JVNDB-2016-000011date:2016-02-16T00:00:00
db:CNNVDid:CNNVD-201601-693date:2016-02-01T00:00:00
db:NVDid:CVE-2016-1140date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-00911date:2016-02-15T00:00:00
db:CNVDid:CNVD-2016-00912date:2016-02-15T00:00:00
db:VULHUBid:VHN-89959date:2016-01-30T00:00:00
db:BIDid:81982date:2016-01-27T00:00:00
db:JVNDBid:JVNDB-2016-000011date:2016-01-27T00:00:00
db:CNNVDid:CNNVD-201601-693date:2016-01-30T00:00:00
db:NVDid:CVE-2016-1140date:2016-01-30T15:59:04.970