All the vulnerabilites related to ELECOM CO.,LTD. - LD-PS/U1
jvndb-2021-000008
Vulnerability from jvndb
Published
2021-01-26 16:33
Modified
2021-01-26 16:33
Severity ?
Summary
Multiple vulnerabilities in multiple ELECOM products
Details
Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. *Improper Access Control (CWE-284) - CVE-2021-20643 *Script injection in web setup page (CWE-74) - CVE-2021-20644 *Stored cross-site scripting (CWE-79) - CVE-2021-20645 *Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 *OS command injection (CWE-78) - CVE-2021-20648 *Improper server certificate verification (CWE-295) - CVE-2021-20649 *OS command injection via UPnP (CWE-78) - CVE-2014-8361 CVE-2021-20643 NAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20644 Ryo Sato reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20645, CVE-2021-20646 Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20647, CVE-2021-20648, CVE-2021-20649 Satoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20650 Yutaka WATANABE reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Satoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.
References
JVN https://jvn.jp/en/jp/JVN47580234/index.html
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20643
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20644
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20645
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20646
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20647
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20648
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20649
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20650
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361
NVD https://nvd.nist.gov/vuln/detail/CVE-2014-8361
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20643
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20644
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20645
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20646
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20647
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20648
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20649
NVD https://nvd.nist.gov/vuln/detail/CVE-2021-20650
Permissions(CWE-264) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Cross-Site Request Forgery(CWE-352) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
OS Command Injection(CWE-78) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Cross-site Scripting(CWE-79) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
No Mapping(CWE-Other) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Show details on JVN DB website


{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000008.html",
  "dc:date": "2021-01-26T16:33+09:00",
  "dcterms:issued": "2021-01-26T16:33+09:00",
  "dcterms:modified": "2021-01-26T16:33+09:00",
  "description": "Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.\r\n*Improper Access Control (CWE-284) - CVE-2021-20643\r\n*Script injection in web setup page (CWE-74) - CVE-2021-20644\r\n*Stored cross-site scripting (CWE-79) - CVE-2021-20645\r\n*Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650\r\n*OS command injection (CWE-78) - CVE-2021-20648\r\n*Improper server certificate verification (CWE-295) - CVE-2021-20649\r\n*OS command injection via UPnP (CWE-78) - CVE-2014-8361\r\n\r\nCVE-2021-20643\r\nNAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20644\r\nRyo Sato reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20645, CVE-2021-20646\r\nSatoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20647, CVE-2021-20648, CVE-2021-20649\r\nSatoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20650\r\nYutaka WATANABE reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nSatoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000008.html",
  "sec:cpe": [
    {
      "#text": "cpe:/o:elecom:ld-ps%2fu1_firmware",
      "@product": "LD-PS/U1",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:ncc-ewf100rmwh2_firmware",
      "@product": "NCC-EWF100RMWH2",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-1467ghbk-a_firmware",
      "@product": "WRC-1467GHBK-A",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-300febk-a_firmware",
      "@product": "WRC-300FEBK-A",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-300febk-s_firmware",
      "@product": "WRC-300FEBK-S",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-300febk_firmware",
      "@product": "WRC-300FEBK firmware",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:elecom:wrc-f300nf_firmware",
      "@product": "WRC-F300NF firmware",
      "@vendor": "ELECOM CO.,LTD.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "5.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "8.8",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-000008",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN47580234/index.html",
      "@id": "JVN#47580234",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20643",
      "@id": "CVE-2021-20643",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20644",
      "@id": "CVE-2021-20644",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20645",
      "@id": "CVE-2021-20645",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20646",
      "@id": "CVE-2021-20646",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20647",
      "@id": "CVE-2021-20647",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20648",
      "@id": "CVE-2021-20648",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20649",
      "@id": "CVE-2021-20649",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20650",
      "@id": "CVE-2021-20650",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361",
      "@id": "CVE-2014-8361",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2014-8361",
      "@id": "CVE-2014-8361",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20643",
      "@id": "CVE-2021-20643",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20644",
      "@id": "CVE-2021-20644",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20645",
      "@id": "CVE-2021-20645",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20646",
      "@id": "CVE-2021-20646",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20647",
      "@id": "CVE-2021-20647",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20648",
      "@id": "CVE-2021-20648",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20649",
      "@id": "CVE-2021-20649",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20650",
      "@id": "CVE-2021-20650",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-264",
      "@title": "Permissions(CWE-264)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-352",
      "@title": "Cross-Site Request Forgery(CWE-352)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in multiple ELECOM products"
}

cve-2021-20643
Vulnerability from cvelistv5
Published
2021-02-12 06:15
Modified
2024-08-03 17:45
Severity ?
Summary
Improper access control vulnerability in ELECOM LD-PS/U1 allows remote attackers to change the administrative password of the affected device by processing a specially crafted request.
Impacted products
ELECOM CO.,LTD.LD-PS/U1
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:45:45.126Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.elecom.co.jp/news/security/20210126-01/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LD-PS/U1",
          "vendor": "ELECOM CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "LD-PS/U1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper access control vulnerability in ELECOM LD-PS/U1 allows remote attackers to change the administrative password of the affected device by processing a specially crafted request."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Access Control",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-12T06:15:46",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.elecom.co.jp/news/security/20210126-01/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2021-20643",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LD-PS/U1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "LD-PS/U1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ELECOM CO.,LTD."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper access control vulnerability in ELECOM LD-PS/U1 allows remote attackers to change the administrative password of the affected device by processing a specially crafted request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.elecom.co.jp/news/security/20210126-01/",
              "refsource": "MISC",
              "url": "https://www.elecom.co.jp/news/security/20210126-01/"
            },
            {
              "name": "https://jvn.jp/en/jp/JVN47580234/index.html",
              "refsource": "MISC",
              "url": "https://jvn.jp/en/jp/JVN47580234/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2021-20643",
    "datePublished": "2021-02-12T06:15:46",
    "dateReserved": "2020-12-17T00:00:00",
    "dateUpdated": "2024-08-03T17:45:45.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}