ID

VAR-202010-0830


CVE

CVE-2020-24033


TITLE

fs.com S3900-24T4S cross-site request forgery vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-62801 // CNNVD: CNNVD-202010-1194

DESCRIPTION

An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges. fs.com S3900 24T4S Contains a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. fs.com S3900-24T4S is a gigabit stackable switch from China's fast innovation (fs) company. The FS S3900-24T4S switch is equipped with 24 10/100/1000Base-T ports, 4 10G SFP+ uplink ports, supports stacking of up to 6 switches, simple operation, highly secure business processing capabilities, flexible network deployment, and no Border network experience and complete QoS control strategy. The fs.com S3900 24T4S version 1.7.0 and previous versions have security vulnerabilities. Authentication mechanism

Trust: 2.25

sources: NVD: CVE-2020-24033 // JVNDB: JVNDB-2020-012808 // CNVD: CNVD-2020-62801 // VULMON: CVE-2020-24033

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-62801

AFFECTED PRODUCTS

vendor:fsmodel:s3900 24t4sscope:lteversion:1.7.0

Trust: 1.0

vendor:fs commodel:s3900-24t4sscope:eqversion: -

Trust: 0.8

vendor:fs commodel:s3900-24t4sscope:lteversion:s3900-24t4s firmware 1.7.0 and earlier

Trust: 0.8

vendor:fsmodel:fs.com s3900-24t4sscope:lteversion:<=1.7.0

Trust: 0.6

sources: CNVD: CNVD-2020-62801 // JVNDB: JVNDB-2020-012808 // NVD: CVE-2020-24033

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-24033
value: HIGH

Trust: 1.0

NVD: CVE-2020-24033
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-62801
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202010-1194
value: HIGH

Trust: 0.6

VULMON: CVE-2020-24033
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-24033
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2020-62801
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-24033
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2020-24033
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-62801 // VULMON: CVE-2020-24033 // JVNDB: JVNDB-2020-012808 // CNNVD: CNNVD-202010-1194 // NVD: CVE-2020-24033

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.0

problemtype:Cross-site request forgery (CWE-352) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-012808 // NVD: CVE-2020-24033

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1194

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202010-1194

PATCH

title:FS S3900 Series switchurl:https://community.fs.com/jp/support/fs-s3900-series-gigabit-stackable-switches-overview.html

Trust: 0.8

title:Patch for fs.com S3900-24T4S cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/239644

Trust: 0.6

title:fs.com S3900-24T4S Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=131431

Trust: 0.6

title:PoCurl:https://github.com/Jonathan-Elias/PoC

Trust: 0.1

title:CVE-POCurl:https://github.com/0xT11/CVE-POC

Trust: 0.1

title:PoC-in-GitHuburl:https://github.com/developer3000S/PoC-in-GitHub

Trust: 0.1

title:PoC-in-GitHuburl:https://github.com/hectorgie/PoC-in-GitHub

Trust: 0.1

sources: CNVD: CNVD-2020-62801 // VULMON: CVE-2020-24033 // JVNDB: JVNDB-2020-012808 // CNNVD: CNNVD-202010-1194

EXTERNAL IDS

db:NVDid:CVE-2020-24033

Trust: 3.1

db:JVNDBid:JVNDB-2020-012808

Trust: 0.8

db:CNVDid:CNVD-2020-62801

Trust: 0.6

db:CNNVDid:CNNVD-202010-1194

Trust: 0.6

db:VULMONid:CVE-2020-24033

Trust: 0.1

sources: CNVD: CNVD-2020-62801 // VULMON: CVE-2020-24033 // JVNDB: JVNDB-2020-012808 // CNNVD: CNNVD-202010-1194 // NVD: CVE-2020-24033

REFERENCES

url:https://github.com/m0nsterrr/cve-2020-24033

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2020-24033

Trust: 2.0

url:https://github.com/m0nsterrr/s3900-24t4s-csrf-vulnerability

Trust: 1.7

url:https://cwe.mitre.org/data/definitions/352.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/jonathan-elias/poc

Trust: 0.1

sources: CNVD: CNVD-2020-62801 // VULMON: CVE-2020-24033 // JVNDB: JVNDB-2020-012808 // CNNVD: CNNVD-202010-1194 // NVD: CVE-2020-24033

SOURCES

db:CNVDid:CNVD-2020-62801
db:VULMONid:CVE-2020-24033
db:JVNDBid:JVNDB-2020-012808
db:CNNVDid:CNNVD-202010-1194
db:NVDid:CVE-2020-24033

LAST UPDATE DATE

2024-11-23T22:40:55.754000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-62801date:2020-11-12T00:00:00
db:VULMONid:CVE-2020-24033date:2020-11-02T00:00:00
db:JVNDBid:JVNDB-2020-012808date:2021-06-03T08:40:00
db:CNNVDid:CNNVD-202010-1194date:2020-11-03T00:00:00
db:NVDid:CVE-2020-24033date:2024-11-21T05:14:20.587

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-62801date:2020-11-12T00:00:00
db:VULMONid:CVE-2020-24033date:2020-10-22T00:00:00
db:JVNDBid:JVNDB-2020-012808date:2021-06-03T00:00:00
db:CNNVDid:CNNVD-202010-1194date:2020-10-22T00:00:00
db:NVDid:CVE-2020-24033date:2020-10-22T14:15:13.457