XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi.
References
Link | Resource |
---|---|
https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ | Third Party Advisory |
http://seclists.org/bugtraq/2017/Jun/1 | Mailing List Third Party Advisory |
https://www.exploit-db.com/exploits/42130/ |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Information
Published : 2017-06-05 07:29
Updated : 2017-08-12 18:29
NVD link : CVE-2017-8839
Mitre link : CVE-2017-8839
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
peplink
- 1350hw2_firmware
- b305hw2_firmware
- balance_710
- balance_305
- 2500_firmware
- 580hw2_firmware
- balance_2500
- balance_380
- balance_1350
- 380hw6_firmware
- 710hw3_firmware
- balance_580