NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2024-41587

Summary	Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6.
Publication Date	Oct. 4, 2024, 4:15 a.m.
Registration Date	Oct. 4, 2024, noon
Last Update	Oct. 9, 2024, 12:32 a.m.

CVSS3.1 : MEDIUM
スコア	5.4
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor3910_firmware::::::::					4.3.2.8
cpe:2.3:o:draytek:vigor3910_firmware::::::::		4.4.0.0			4.4.3.1
execution environment
1	cpe:2.3:h:draytek:vigor3910:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor3912_firmware::::::::					4.3.6.1
execution environment
1	cpe:2.3:h:draytek:vigor3912:-:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2962_firmware::::::::					4.3.2.8
cpe:2.3:o:draytek:vigor2962_firmware::::::::		4.4.0.0			4.4.3.1
execution environment
1	cpe:2.3:h:draytek:vigor2962:-:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor165_firmware::::::::					4.2.7
execution environment
1	cpe:2.3:h:draytek:vigor165:-:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor1000b_firmware::::::::					4.3.2.8
cpe:2.3:o:draytek:vigor1000b_firmware::::::::		4.4.0.0			4.4.3.1
execution environment
1	cpe:2.3:h:draytek:vigor1000b:-:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor166_firmware::::::::					4.2.7
execution environment
1	cpe:2.3:h:draytek:vigor166:-:::::::*

Configuration7		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2135_firmware::::::::					4.4.5.3
execution environment
1	cpe:2.3:h:draytek:vigor2135:-:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2763_firmware::::::::					4.4.5.3
execution environment
1	cpe:2.3:h:draytek:vigor2763:-:::::::*

Configuration9		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2765_firmware::::::::					4.4.5.3
execution environment
1	cpe:2.3:h:draytek:vigor2765:-:::::::*

Configuration10		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2865_firmware::::::::					4.4.5.2
execution environment
1	cpe:2.3:h:draytek:vigor2865:-:::::::*

Configuration11		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2766_firmware::::::::					4.4.5.3
execution environment
1	cpe:2.3:h:draytek:vigor2766:-:::::::*

Configuration12		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2866_firmware::::::::					4.4.5.2
execution environment
1	cpe:2.3:h:draytek:vigor2866:-:::::::*

Configuration13		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2915_firmware::::::::					4.4.5.3
execution environment
1	cpe:2.3:h:draytek:vigor2915:-:::::::*

Configuration14		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2620_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2620:-:::::::*

Configuration15		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigorlte200_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigorlte200:-:::::::*

Configuration16		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2133_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2133:-:::::::*

Configuration17		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2762_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2762:-:::::::*

Configuration18		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2832_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2832:-:::::::*

Configuration19		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2860_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2860:-:::::::*

Configuration20		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2862_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2862:-:::::::*

Configuration21		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2925_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2925:-:::::::*

Configuration22		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2926_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2926:-:::::::*

Configuration23		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor2952_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor2952:-:::::::*

Configuration24		or higher	or less	more than	less than
cpe:2.3:o:draytek:vigor3220_firmware::::::::
execution environment
1	cpe:2.3:h:draytek:vigor3220:-:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.forescout.com/resources/draytek14-vulnerabilities		Broken Link
2	https://www.forescout.com/resources/draybreak-draytek-research/		Mitigation Technical Description Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

DrayTek Corporation の vigor3910 ファームウェアにおけるクロスサイトスクリプティングの脆弱性

Title	DrayTek Corporation の vigor3910 ファームウェアにおけるクロスサイトスクリプティングの脆弱性
Summary	DrayTek Corporation の vigor3910 ファームウェアには、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 3, 2024, midnight
Registration Date	Oct. 7, 2024, 12:05 p.m.
Last Update	Oct. 7, 2024, 12:05 p.m.

Affected System

DrayTek Corporation

vigor3910 ファームウェア 4.3.2.8 未満

vigor3910 ファームウェア 4.4.0.0 以上 4.4.3.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-41587	https://www.cve.org/CVERecord?id=CVE-2024-41587
National Vulnerability Database (NVD)
2	CVE-2024-41587	https://nvd.nist.gov/vuln/detail/CVE-2024-41587

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

その他

No	Name	URL
関連文書
1	www.forescout.com (draybreak-draytek-research)	https://www.forescout.com/resources/draybreak-draytek-research/

Change Log

No	Changed Details	Date of change
1	[2024年10月07日] 掲載	Oct. 7, 2024, 12:05 p.m.