Details of VAR-202205-1043

ID

VAR-202205-1043

CVE

CVE-2022-25172

TITLE

InHand Networks of ir302 Improper Permission Assignment Vulnerability for Critical Resources in Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2022-009659

DESCRIPTION

An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie. InHand Networks of ir302 A firmware vulnerability related to improper assignment of permissions to critical resources.Information may be obtained and information may be tampered with. InHand Networks InRouter Series is a series of routers from InHand Networks in the United States

Trust: 2.25

sources: NVD: CVE-2022-25172 // JVNDB: JVNDB-2022-009659 // CNVD: CNVD-2022-59185 // VULMON: CVE-2022-25172

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-59185

AFFECTED PRODUCTS

vendor:	inhandnetworks	model:	ir302	scope:	lte	version:	3.5.4	Trust: 1.0
vendor:	inhand	model:	ir302	scope:	lte	version:	ir302 firmware 3.5.4 and earlier	Trust: 0.8
vendor:	inhand	model:	ir302	scope:	-	version:	-	Trust: 0.8
vendor:	inhand	model:	ir302	scope:	eq	version:	-	Trust: 0.8
vendor:	inhand	model:	networks inrouter302	scope:	eq	version:	v3.5.4	Trust: 0.6

sources: CNVD: CNVD-2022-59185 // JVNDB: JVNDB-2022-009659 // NVD: CVE-2022-25172

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-25172
value:	MEDIUM
Trust: 1.0
talos-cna@cisco.com:	CVE-2022-25172
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-25172
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-59185
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202205-3115
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-25172
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-59185
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-25172
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
talos-cna@cisco.com:	CVE-2022-25172
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.0
NVD:	CVE-2022-25172
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-59185 // JVNDB: JVNDB-2022-009659 // CNNVD: CNNVD-202205-3115 // NVD: CVE-2022-25172 // NVD: CVE-2022-25172

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.0
problemtype:	CWE-1004	Trust: 1.0
problemtype:	Improper permission assignment for critical resources (CWE-732) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-009659 // NVD: CVE-2022-25172

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-3115

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202205-3115

PATCH

title:	Patch for InHand Networks InRouter302 Information Disclosure Vulnerability (CNVD-2022-59185)	url:	https://www.cnvd.org.cn/patchInfo/show/347281	Trust: 0.6
title:	InHand Networks InRouter302 Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=193817	Trust: 0.6

sources: CNVD: CNVD-2022-59185 // CNNVD: CNNVD-202205-3115

EXTERNAL IDS

db:	NVD	id:	CVE-2022-25172	Trust: 3.9
db:	TALOS	id:	TALOS-2022-1470	Trust: 2.5
db:	JVNDB	id:	JVNDB-2022-009659	Trust: 0.8
db:	CNVD	id:	CNVD-2022-59185	Trust: 0.6
db:	CS-HELP	id:	SB2022051611	Trust: 0.6
db:	CNNVD	id:	CNNVD-202205-3115	Trust: 0.6
db:	VULMON	id:	CVE-2022-25172	Trust: 0.1

sources: CNVD: CNVD-2022-59185 // VULMON: CVE-2022-25172 // JVNDB: JVNDB-2022-009659 // CNNVD: CNNVD-202205-3115 // NVD: CVE-2022-25172

REFERENCES

url:	https://www.inhandnetworks.com/upload/attachment/202205/10/inhand-psa-2022-01.pdf	Trust: 3.1
url:	https://talosintelligence.com/vulnerability_reports/talos-2022-1470	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-25172	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-25172/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022051611	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-59185 // VULMON: CVE-2022-25172 // JVNDB: JVNDB-2022-009659 // CNNVD: CNNVD-202205-3115 // NVD: CVE-2022-25172

SOURCES

db:	CNVD	id:	CNVD-2022-59185
db:	VULMON	id:	CVE-2022-25172
db:	JVNDB	id:	JVNDB-2022-009659
db:	CNNVD	id:	CNNVD-202205-3115
db:	NVD	id:	CVE-2022-25172

LAST UPDATE DATE

2024-11-23T21:32:27.312000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-59185	date:	2022-08-25T00:00:00
db:	VULMON	id:	CVE-2022-25172	date:	2022-05-12T00:00:00
db:	JVNDB	id:	JVNDB-2022-009659	date:	2023-08-07T08:14:00
db:	CNNVD	id:	CNNVD-202205-3115	date:	2023-06-25T00:00:00
db:	NVD	id:	CVE-2022-25172	date:	2024-11-21T06:51:44.863

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-59185	date:	2022-08-25T00:00:00
db:	VULMON	id:	CVE-2022-25172	date:	2022-05-12T00:00:00
db:	JVNDB	id:	JVNDB-2022-009659	date:	2023-08-07T00:00:00
db:	CNNVD	id:	CNNVD-202205-3115	date:	2022-05-12T00:00:00
db:	NVD	id:	CVE-2022-25172	date:	2022-05-12T17:15:10.357