Cross-Site Scripting in Peplink Balance Devices
CVE-2017-8838

6.1MEDIUM

Key Information:

Vendor

Peplink

Status
B305hw2 Firmware
Vendor
CVE Published:
5 June 2017

What is CVE-2017-8838?

The vulnerability allows for Cross-Site Scripting on various Peplink Balance devices, primarily affecting the cgi-bin/HASync/hasync.cgi script. Devices running firmware versions prior to fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093 are susceptible. An attacker can exploit this vulnerability by injecting malicious scripts, leading to unauthorized actions performed on behalf of authenticated users, compromising their security and privacy.

References

http://seclists.org/bugtraq/2017/Jun/1
x_refsource_MISC
https://www.exploit-db.com/exploits/42130/
exploitx_refsource_EXPLOIT-DB
https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.