Sign-up

ID

VAR-202001-0302


CVE

CVE-2019-18842


TITLE

USR-WIFI232-S/T/G2/H Low Power WiFi Module Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-014076

DESCRIPTION

A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID. USR-WIFI232-S/T/G2/H Low Power WiFi Module Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. USR IOT USR-WIFI232-S, etc. are all low-power serial wireless WIFI modules of China's U-Tech Internet of Things (USR IOT) company. The vulnerability stems from the lack of correct verification of client data in the WEB application. An attacker can use this vulnerability to execute client code. The following products and versions are affected: USR IOT USR-WIFI232-S using firmware version 1.2.2; USR IOT USR-WIFI232-T using firmware version 1.2.2; USR IOT USR-WIFI232- using firmware version 1.2.2 G2; USR IOT USR-WIFI232-H using firmware version 1.2.2

Trust: 2.79

sources: NVD: CVE-2019-18842 // JVNDB: JVNDB-2019-014076 // CNVD: CNVD-2020-03018 // CNNVD: CNNVD-202001-132 // VULMON: CVE-2019-18842

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

category:['network device']sub_category:access point

Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2020-03018

AFFECTED PRODUCTS

vendor:usriotmodel:usr-wifi232-g2scope:eqversion:1.2.2

Trust: 1.0

vendor:usriotmodel:usr-wifi232-hscope:eqversion:1.2.2

Trust: 1.0

vendor:usriotmodel:usr-wifi232-tscope:eqversion:1.2.2

Trust: 1.0

vendor:usriotmodel:usr-wifi232-sscope:eqversion:1.2.2

Trust: 1.0

vendor:jinan usr iotmodel:usr-wifi232-g2scope:eqversion:1.2.2

Trust: 0.8

vendor:jinan usr iotmodel:usr-wifi232-hscope:eqversion:1.2.2

Trust: 0.8

vendor:jinan usr iotmodel:usr-wifi232-sscope:eqversion:1.2.2

Trust: 0.8

vendor:jinan usr iotmodel:usr-wifi232-tscope:eqversion:1.2.2

Trust: 0.8

vendor:usrmodel:iot usr-wifi232-s/t/g2/h low power wifi modulescope:eqversion:1.2.2

Trust: 0.6

sources: CNVD: CNVD-2020-03018 // JVNDB: JVNDB-2019-014076 // NVD: CVE-2019-18842

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-18842
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-18842
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-03018
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202001-132
value: MEDIUM

Trust: 0.6

VULMON: CVE-2019-18842
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-18842
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2020-03018
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-18842
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2019-18842
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-03018 // VULMON: CVE-2019-18842 // JVNDB: JVNDB-2019-014076 // CNNVD: CNNVD-202001-132 // NVD: CVE-2019-18842

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2019-014076 // NVD: CVE-2019-18842

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-132

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202001-132

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014076

PATCH
title:Top Pageurl:https://www.usriot.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-014076

EXTERNAL IDS
db:NVDid:CVE-2019-18842
Trust: 3.2
db:JVNDBid:JVNDB-2019-014076
Trust: 0.8
db:CNVDid:CNVD-2020-03018
Trust: 0.6
db:CNNVDid:CNNVD-202001-132
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
db:VULMONid:CVE-2019-18842
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CNVD: CNVD-2020-03018 // 
            
            
            
            VULMON: CVE-2019-18842 // 
            
            
            
            JVNDB: JVNDB-2019-014076 // 
            
            
            
            CNNVD: CNNVD-202001-132 // 
            
            
            
            NVD: CVE-2019-18842

REFERENCES
url:https://www.tildeho.me/theres-javascript-in-my-power-plug/
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-18842
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18842
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CNVD: CNVD-2020-03018 // 
            
            
            
            VULMON: CVE-2019-18842 // 
            
            
            
            JVNDB: JVNDB-2019-014076 // 
            
            
            
            CNNVD: CNNVD-202001-132 // 
            
            
            
            NVD: CVE-2019-18842

SOURCES
db:OTHERid: - 
db:CNVDid:CNVD-2020-03018
db:VULMONid:CVE-2019-18842
db:JVNDBid:JVNDB-2019-014076
db:CNNVDid:CNNVD-202001-132
db:NVDid:CVE-2019-18842

LAST UPDATE DATE
2025-01-30T21:50:52.300000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-03018date:2021-02-23T00:00:00
db:VULMONid:CVE-2019-18842date:2020-01-15T00:00:00
db:JVNDBid:JVNDB-2019-014076date:2020-01-31T00:00:00
db:CNNVDid:CNNVD-202001-132date:2020-07-31T00:00:00
db:NVDid:CVE-2019-18842date:2024-11-21T04:33:41.673

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-03018date:2020-01-21T00:00:00
db:VULMONid:CVE-2019-18842date:2020-01-06T00:00:00
db:JVNDBid:JVNDB-2019-014076date:2020-01-31T00:00:00
db:CNNVDid:CNNVD-202001-132date:2020-01-06T00:00:00
db:NVDid:CVE-2019-18842date:2020-01-06T21:15:11.567