Details of VAR-202002-1348

ID

VAR-202002-1348

CVE

CVE-2020-8839

TITLE

CHIYU BF-430 Cross-site scripting vulnerabilities in converter devices

Trust: 0.8

sources: JVNDB: JVNDB-2020-002025

DESCRIPTION

Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter devices before 1.16.00, as demonstrated by the /if.cgi TF_submask field. CHIYU BF-430 A cross-site scripting vulnerability exists in converter devices.Information may be obtained and tampered with. CHIYU BF-430 is a networked server that provides communication for access control, time and attendance systems and other equipment of Taiwan's Taiwan Seven Friends Technology (CHIYU) Company. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code

Trust: 2.16

sources: NVD: CVE-2020-8839 // JVNDB: JVNDB-2020-002025 // CNVD: CNVD-2020-08143

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-08143

AFFECTED PRODUCTS

vendor:	chiyu t	model:	bf-430	scope:	lt	version:	1.16.00	Trust: 1.0
vendor:	chiyu	model:	bf-430	scope:	eq	version:	1.16.00	Trust: 0.8
vendor:	chiyu	model:	bf-430 tcp/ip converter	scope:	eq	version:	232/485<1.16.00	Trust: 0.6
vendor:	chiyu t	model:	bf-430	scope:	eq	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-08143 // JVNDB: JVNDB-2020-002025 // CNNVD: CNNVD-202002-425 // NVD: CVE-2020-8839

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-8839
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-002025
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-08143
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202002-425
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-8839
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-002025
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-08143
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-8839
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-002025
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-08143 // JVNDB: JVNDB-2020-002025 // CNNVD: CNNVD-202002-425 // NVD: CVE-2020-8839

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-002025 // NVD: CVE-2020-8839

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-425

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202002-425

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002025

PATCH

title:

Top Page

url:

https://www.chiyu-t.com.tw/en/

Trust: 0.8

sources: JVNDB: JVNDB-2020-002025

EXTERNAL IDS

db:	PACKETSTORM	id:	156289	Trust: 3.0
db:	NVD	id:	CVE-2020-8839	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-002025	Trust: 0.8
db:	CNVD	id:	CNVD-2020-08143	Trust: 0.6
db:	EXPLOIT-DB	id:	48040	Trust: 0.6
db:	CNNVD	id:	CNNVD-202002-425	Trust: 0.6

sources: CNVD: CNVD-2020-08143 // JVNDB: JVNDB-2020-002025 // CNNVD: CNNVD-202002-425 // NVD: CVE-2020-8839

REFERENCES

url:	http://packetstormsecurity.com/files/156289/chiyu-bf430-tcp-ip-converter-cross-site-scripting.html	Trust: 3.0
url:	https://drive.google.com/open?id=1edn0rsgps4-yxemxl7mgh__yjdbl-won	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8839	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8839	Trust: 0.8
url:	https://www.exploit-db.com/exploits/48040	Trust: 0.6

sources: CNVD: CNVD-2020-08143 // JVNDB: JVNDB-2020-002025 // CNNVD: CNNVD-202002-425 // NVD: CVE-2020-8839

CREDITS

Luca.Chiou

Trust: 0.6

sources: CNNVD: CNNVD-202002-425

SOURCES

db:	CNVD	id:	CNVD-2020-08143
db:	JVNDB	id:	JVNDB-2020-002025
db:	CNNVD	id:	CNNVD-202002-425
db:	NVD	id:	CVE-2020-8839

LAST UPDATE DATE

2024-11-23T22:51:29.703000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-08143	date:	2020-02-14T00:00:00
db:	JVNDB	id:	JVNDB-2020-002025	date:	2020-03-03T00:00:00
db:	CNNVD	id:	CNNVD-202002-425	date:	2020-02-19T00:00:00
db:	NVD	id:	CVE-2020-8839	date:	2024-11-21T05:39:32.447

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-08143	date:	2020-02-14T00:00:00
db:	JVNDB	id:	JVNDB-2020-002025	date:	2020-03-03T00:00:00
db:	CNNVD	id:	CNNVD-202002-425	date:	2020-02-11T00:00:00
db:	NVD	id:	CVE-2020-8839	date:	2020-02-12T15:15:14.867