CVE-2024-40883

Cross-site request forgery vulnerability exists in ELECOM wireless LAN routers. Viewing a malicious page while logging in to the affected product with an administrative privilege, the user may be directed to perform unintended operations such as changing the login ID, login password, etc.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://jvn.jp/en/jp/JVN06672778/	Third Party Advisory
https://www.elecom.co.jp/news/security/20240730-01/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:elecom:wrc-2533gs2-b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-2533gs2-b:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:elecom:wrc-2533gs2-w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-2533gs2-w:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:elecom:wrc-2533gs2v-b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-2533gs2v-b:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:elecom:wrc-x6000xs-g_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-x6000xs-g:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:elecom:wrc-x1500gs-b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-x1500gs-b:*:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:elecom:wrc-x1500gsa-b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-x1500gsa-b:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-08-01 02:15

Updated : 2024-11-26 09:15

NVD link : CVE-2024-40883

Mitre link : CVE-2024-40883

CVE.ORG link : CVE-2024-40883

JSON object : View

Products Affected

elecom

wrc-2533gs2-w
wrc-x1500gs-b
wrc-x1500gs-b_firmware
wrc-x6000xs-g
wrc-x1500gsa-b
wrc-2533gs2-w_firmware
wrc-2533gs2v-b
wrc-x1500gsa-b_firmware
wrc-x6000xs-g_firmware
wrc-2533gs2-b
wrc-2533gs2v-b_firmware
wrc-2533gs2-b_firmware

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-40883", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "vultures@jpcert.or.jp", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-08-01T02:15:02.023", "references": [{"url": "https://jvn.jp/en/jp/JVN06672778/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://www.elecom.co.jp/news/security/20240730-01/", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "vultures@jpcert.or.jp", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery vulnerability exists in ELECOM wireless LAN routers. Viewing a malicious page while logging in to the affected product with an administrative privilege, the user may be directed to perform unintended operations such as changing the login ID, login password, etc."}, {"lang": "es", "value": " Existe una vulnerabilidad de Cross-site request forgery en los enrutadores LAN inal\u00e1mbricos ELECOM. Al ver una p\u00e1gina maliciosa mientras inicia sesi\u00f3n en el producto afectado con un privilegio administrativo, se puede dirigir al usuario a realizar operaciones no deseadas, como cambiar el ID de inicio de sesi\u00f3n, la contrase\u00f1a de inicio de sesi\u00f3n, etc."}], "lastModified": "2024-11-26T09:15:06.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-2533gs2-b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62F4C8BB-6DA7-4227-BDE9-3113CEFA110A", "versionEndExcluding": "1.69"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-2533gs2-b:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D9FF3CB7-7F2E-472A-A2A3-ED599F4FC99C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-2533gs2-w_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77A56640-4A80-4338-9BBF-901088D26193", "versionEndExcluding": "1.69"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-2533gs2-w:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ECD9F0FE-1232-4C39-AA86-2D616E4D39C6"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-2533gs2v-b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3892264D-1108-432F-83EA-E027A6AA0610", "versionEndExcluding": "1.69"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-2533gs2v-b:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "69FF2911-A946-4E48-B50A-F1F5EC95BBCC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-x6000xs-g_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1309B92-8C27-488A-8190-A164502EE615", "versionEndExcluding": "1.12"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-x6000xs-g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D50F2091-30D4-4A3E-A28A-B9D67D70DB2C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-x1500gs-b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C34B5CB1-4483-49B0-B281-1F61045785C7", "versionEndExcluding": "1.12"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-x1500gs-b:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F2B13224-1E88-4415-8B8E-979D00BD68F2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-x1500gsa-b_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82A4CAE8-0C68-4881-92F3-6BFFD72A58CA", "versionEndExcluding": "1.12"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-x1500gsa-b:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D198866F-7CB3-4EA0-86EA-345CF65E116F"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "vultures@jpcert.or.jp"}