All the vulnerabilites related to ELECOM CO.,LTD. - NCC-EWF100RMWH2
jvndb-2021-000008
Vulnerability from jvndb
Published
2021-01-26 16:33
Modified
2021-01-26 16:33
Severity ?
Summary
Multiple vulnerabilities in multiple ELECOM products
Details
Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
*Improper Access Control (CWE-284) - CVE-2021-20643
*Script injection in web setup page (CWE-74) - CVE-2021-20644
*Stored cross-site scripting (CWE-79) - CVE-2021-20645
*Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650
*OS command injection (CWE-78) - CVE-2021-20648
*Improper server certificate verification (CWE-295) - CVE-2021-20649
*OS command injection via UPnP (CWE-78) - CVE-2014-8361
CVE-2021-20643
NAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20644
Ryo Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20645, CVE-2021-20646
Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20647, CVE-2021-20648, CVE-2021-20649
Satoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20650
Yutaka WATANABE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Satoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000008.html",
"dc:date": "2021-01-26T16:33+09:00",
"dcterms:issued": "2021-01-26T16:33+09:00",
"dcterms:modified": "2021-01-26T16:33+09:00",
"description": "Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.\r\n*Improper Access Control (CWE-284) - CVE-2021-20643\r\n*Script injection in web setup page (CWE-74) - CVE-2021-20644\r\n*Stored cross-site scripting (CWE-79) - CVE-2021-20645\r\n*Cross-site request forgery (CWE-352) - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650\r\n*OS command injection (CWE-78) - CVE-2021-20648\r\n*Improper server certificate verification (CWE-295) - CVE-2021-20649\r\n*OS command injection via UPnP (CWE-78) - CVE-2014-8361\r\n\r\nCVE-2021-20643\r\nNAGAKAWA(ISHIBASHI), Tsuyoshi of INSTITUTE of INFORMATION SECURITY Yuasa Lab. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20644\r\nRyo Sato reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20645, CVE-2021-20646\r\nSatoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20647, CVE-2021-20648, CVE-2021-20649\r\nSatoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2021-20650\r\nYutaka WATANABE reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nSatoru Nagaoka of Cyber Defense Institute, Inc. and Daisuke Makita and Yoshiki Mori of National Institude of Information and Communications Technology reported that CVE-2014-8361 vulnerability still exists in ELECOM product to IPA. JPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000008.html",
"sec:cpe": [
{
"#text": "cpe:/o:elecom:ld-ps%2fu1_firmware",
"@product": "LD-PS/U1",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:ncc-ewf100rmwh2_firmware",
"@product": "NCC-EWF100RMWH2",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-1467ghbk-a_firmware",
"@product": "WRC-1467GHBK-A",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-300febk-a_firmware",
"@product": "WRC-300FEBK-A",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-300febk-s_firmware",
"@product": "WRC-300FEBK-S",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-300febk_firmware",
"@product": "WRC-300FEBK firmware",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-f300nf_firmware",
"@product": "WRC-F300NF firmware",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "8.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000008",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN47580234/index.html",
"@id": "JVN#47580234",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20643",
"@id": "CVE-2021-20643",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20644",
"@id": "CVE-2021-20644",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20645",
"@id": "CVE-2021-20645",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20646",
"@id": "CVE-2021-20646",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20647",
"@id": "CVE-2021-20647",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20648",
"@id": "CVE-2021-20648",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20649",
"@id": "CVE-2021-20649",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20650",
"@id": "CVE-2021-20650",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361",
"@id": "CVE-2014-8361",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2014-8361",
"@id": "CVE-2014-8361",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20643",
"@id": "CVE-2021-20643",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20644",
"@id": "CVE-2021-20644",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20645",
"@id": "CVE-2021-20645",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20646",
"@id": "CVE-2021-20646",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20647",
"@id": "CVE-2021-20647",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20648",
"@id": "CVE-2021-20648",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20649",
"@id": "CVE-2021-20649",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20650",
"@id": "CVE-2021-20650",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in multiple ELECOM products"
}
cve-2021-20650
Vulnerability from cvelistv5
Published
2021-02-12 06:15
Modified
2024-08-03 17:45
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.elecom.co.jp/news/security/20210126-01/ | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN47580234/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| ELECOM CO.,LTD. | NCC-EWF100RMWH2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:45:45.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.elecom.co.jp/news/security/20210126-01/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN47580234/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NCC-EWF100RMWH2",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "NCC-EWF100RMWH2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-12T06:15:51",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.elecom.co.jp/news/security/20210126-01/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN47580234/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20650",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NCC-EWF100RMWH2",
"version": {
"version_data": [
{
"version_value": "NCC-EWF100RMWH2"
}
]
}
}
]
},
"vendor_name": "ELECOM CO.,LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.elecom.co.jp/news/security/20210126-01/",
"refsource": "MISC",
"url": "https://www.elecom.co.jp/news/security/20210126-01/"
},
{
"name": "https://jvn.jp/en/jp/JVN47580234/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN47580234/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20650",
"datePublished": "2021-02-12T06:15:51",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:45:45.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}