NVD Vulnerability Detail

CVE-2017-8328

Summary	An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue.
Publication Date	June 19, 2019, 6:15 a.m.
Registration Date	Jan. 26, 2021, 1:29 p.m.
Last Update	Nov. 21, 2024, 12:33 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:securifi:almond_2015_firmware:al-r096:::::::*
execution environment
1	cpe:2.3:h:securifi:almond_2015:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:securifi:almond\+firmware:al-r096:::::::*
execution environment
1	cpe:2.3:h:securifi:almond\+:-:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:securifi:almond_firmware:al-r096:::::::*
execution environment
1	cpe:2.3:h:securifi:almond:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/153227/Securifi-Almond-2015-Buffer-Overflow-Command-Injection-XSS-CSRF.html	Third Party Advisory VDB Entry
2	http://packetstormsecurity.com/files/153227/Securifi-Almond-2015-Buffer-Overflow-Command-Injection-XSS-CSRF.html	Third Party Advisory VDB Entry
3	https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Securifi_Almond_plus_sec_issues.pdf	Exploit Third Party Advisory
4	https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Securifi_Almond_plus_sec_issues.pdf	Exploit Third Party Advisory
5	https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory
6	https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-352	クロスサイト・リクエスト・フォージェリ（CSRF）	https://cwe.mitre.org/data/definitions/352.html
2	CWE-352	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html

JVN Vulnerability Information

複数の Securifi Almond デバイスのファームウェアにおけるクロスサイトリクエストフォージェリの脆弱性

Title	複数の Securifi Almond デバイスのファームウェアにおけるクロスサイトリクエストフォージェリの脆弱性
Summary	Securifi Almond、Almond+、Almond 2015 デバイスのファームウェアには、クロスサイトリクエストフォージェリの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	April 29, 2017, midnight
Registration Date	June 25, 2019, 4:25 p.m.
Last Update	June 25, 2019, 4:25 p.m.

Affected System

Securifi

Securifi Almond 2015 ファームウェア AL-R096

Securifi Almond ファームウェア AL-R096

Securifi Almond+ ファームウェア AL-R096

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-8328	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8328
National Vulnerability Database (NVD)
2	CVE-2017-8328	https://nvd.nist.gov/vuln/detail/CVE-2017-8328

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-352	https://jvndb.jvn.jp/ja/cwe/CWE-352.html

ベンダー情報

No	Name	URL
Securifi
1	almond	https://www.securifi.com/ja/almond
2	almond-2015	https://www.securifi.com/ja/almond-2015
3	almondplus	https://www.securifi.com/ja/almondplus

その他

No	Name	URL
関連文書
1	Securifi_Almond_plus_sec_issues.pdf	https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Securifi_Almond_plus_sec_issues.pdf

Change Log

No	Changed Details	Date of change
1	[2019年06月25日] 掲載	June 25, 2019, 4:25 p.m.