Details of VAR-202004-1394

ID

VAR-202004-1394

CVE

CVE-2017-18831

TITLE

plural NETGEAR Cross-site scripting vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014852

DESCRIPTION

Certain NETGEAR devices are affected by stored XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15. plural NETGEAR A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR M4300-28G, etc. are all managed switches of NETGEAR. The vulnerability stems from the lack of correct verification of client data in WEB applications. An attacker can use this vulnerability to execute client code

Trust: 2.16

sources: NVD: CVE-2017-18831 // JVNDB: JVNDB-2017-014852 // CNVD: CNVD-2021-59153

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-59153

AFFECTED PRODUCTS

vendor:	netgear	model:	m4300-28g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-52g	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-8x8f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-12x12f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x24f	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-24x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-48x	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4200	scope:	lt	version:	12.0.2.15	Trust: 1.6
vendor:	netgear	model:	m4300-28g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4300-52g-poe\+	scope:	lt	version:	12.0.2.15	Trust: 1.0
vendor:	netgear	model:	m4200	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-12x12f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-24x24f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-48x	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-52g-poe+	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-8x8f	scope:	eq	version:	12.0.2.15	Trust: 0.8
vendor:	netgear	model:	m4300-28g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6
vendor:	netgear	model:	m4300-52g-poe+	scope:	lt	version:	12.0.2.15	Trust: 0.6

sources: CNVD: CNVD-2021-59153 // JVNDB: JVNDB-2017-014852 // NVD: CVE-2017-18831

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-18831
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2017-18831
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2017-014852
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-59153
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202004-1637
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-18831
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2017-014852
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-59153
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-18831
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2017-18831
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	JVNDB-2017-014852
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-59153 // JVNDB: JVNDB-2017-014852 // CNNVD: CNNVD-202004-1637 // NVD: CVE-2017-18831 // NVD: CVE-2017-18831

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-014852 // NVD: CVE-2017-18831

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1637

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202004-1637

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014852

PATCH

title:	Security Advisory for Vertical Privilege Escalation on Some Fully Managed Switches, PSV-2017-1952	url:	https://kb.netgear.com/000049031/Security-Advisory-for-Vertical-Privilege-Escalation-on-Some-Fully-Managed-Switches-PSV-2017-1952	Trust: 0.8
title:	Patch for Cross-site scripting vulnerabilities in multiple NETGEAR products (CNVD-2021-59153)	url:	https://www.cnvd.org.cn/patchInfo/show/284401	Trust: 0.6
title:	Multiple NETGEAR Fixes for product cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116956	Trust: 0.6

sources: CNVD: CNVD-2021-59153 // JVNDB: JVNDB-2017-014852 // CNNVD: CNNVD-202004-1637

EXTERNAL IDS

db:	NVD	id:	CVE-2017-18831	Trust: 3.0
db:	JVNDB	id:	JVNDB-2017-014852	Trust: 0.8
db:	CNVD	id:	CNVD-2021-59153	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1637	Trust: 0.6

sources: CNVD: CNVD-2021-59153 // JVNDB: JVNDB-2017-014852 // CNNVD: CNNVD-202004-1637 // NVD: CVE-2017-18831

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2017-18831	Trust: 2.0
url:	https://kb.netgear.com/000049031/security-advisory-for-vertical-privilege-escalation-on-some-fully-managed-switches-psv-2017-1952	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18831	Trust: 0.8

sources: CNVD: CNVD-2021-59153 // JVNDB: JVNDB-2017-014852 // CNNVD: CNNVD-202004-1637 // NVD: CVE-2017-18831

SOURCES

db:	CNVD	id:	CNVD-2021-59153
db:	JVNDB	id:	JVNDB-2017-014852
db:	CNNVD	id:	CNNVD-202004-1637
db:	NVD	id:	CVE-2017-18831

LAST UPDATE DATE

2024-11-23T21:59:20.421000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-59153	date:	2021-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-014852	date:	2020-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202004-1637	date:	2020-04-26T00:00:00
db:	NVD	id:	CVE-2017-18831	date:	2024-11-21T03:21:02.130

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-59153	date:	2021-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-014852	date:	2020-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202004-1637	date:	2020-04-20T00:00:00
db:	NVD	id:	CVE-2017-18831	date:	2020-04-20T17:15:14.397