cvelistv5 - cve-2017-12703

CVE-2017-12703 (GCVE-0-2017-12703)

Vulnerability from cvelistv5 – Published: 2017-08-25 16:00 – Updated: 2024-08-05 18:43

Summary

Severity ?

No CVSS data available.

CWE

CSRF

Assigner

icscert

References

URL

	Vendor	Product	Version
	n/a	Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455	Affected: Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455

GHSA-MM9P-VHG8-49HJ

Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2022-05-17 01:22

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-12703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-25T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server.",
  "id": "GHSA-mm9p-vhg8-49hj",
  "modified": "2022-05-17T01:22:50Z",
  "published": "2022-05-17T01:22:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12703"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

ICSA-17-236-01

Vulnerability from csaf_cisa - Published: 2017-08-24 00:00 - Updated: 2017-08-24 00:00

Summary

ICSA-17-236-01_Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Summary

Mandar Jadhav from Qualys Security has identified the vulnerabilities.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Mandar Jadhav"
        ],
        "organization": "Qualys Security",
        "summary": "identifying the vulnerabilities"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "summary",
        "text": "Mandar Jadhav from Qualys Security has identified the vulnerabilities.",
        "title": "Summary"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "CISAservicedesk@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-17-236-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsa-17-236-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-17-236-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-17-236-01"
      }
    ],
    "title": "ICSA-17-236-01_Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455",
    "tracking": {
      "current_release_date": "2017-08-24T00:00:00.000000Z",
      "generator": {
        "date": "2023-01-12T21:45:38.727Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.0.0"
        }
      },
      "id": "ICSA-17-236-01",
      "initial_release_date": "2017-08-24T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2017-08-24T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-17-236-01 Westermo ADSL-350, MRD-305-DIN, MRD-315, MRD-355, and MRD-455"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003e 1.7.5.0",
                "product": {
                  "name": "MRD-305-DIN: versions older than 1.7.5.0",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "MRD-305-DIN"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003e 1.7.5.0",
                "product": {
                  "name": "MRD-315 MRD-355 MRD-455: versions older than 1.7.5.0",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "MRD-315 MRD-355 MRD-455"
          }
        ],
        "category": "vendor",
        "name": "Westermo"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-12703",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server.CVE-2017-12703 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Westermo recommends that users update to the latest firmware version 1.7.7.0. The new version can be downloaded at:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "http://www.westermo.com/"
        },
        {
          "category": "mitigation",
          "details": "Westermo has also released a security advisory that can be found at:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "http://www.westermo.com/solutions/cyber-security/resource-centre"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2017-12703"
    },
    {
      "cve": "CVE-2017-12709",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The device utilizes hard-coded credentials, which could allow for unauthorized local low privileged access to the device.\n\nCVE-2017-12709 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).",
          "title": "summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Westermo recommends that users update to the latest firmware version 1.7.7.0. The new version can be downloaded at:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "http://www.westermo.com/"
        },
        {
          "category": "mitigation",
          "details": "Westermo has also released a security advisory that can be found at:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "http://www.westermo.com/solutions/cyber-security/resource-centre"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2017-12709"
    },
    {
      "cve": "CVE-2016-5816",
      "cwe": {
        "id": "CWE-321",
        "name": "Use of Hard-coded Cryptographic Key"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any other source. CVE-2016-5816 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).",
          "title": "summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Westermo recommends that users update to the latest firmware version 1.7.7.0. The new version can be downloaded at:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "http://www.westermo.com/"
        },
        {
          "category": "mitigation",
          "details": "Westermo has also released a security advisory that can be found at:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "http://www.westermo.com/solutions/cyber-security/resource-centre"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2016-5816"
    }
  ]
}

VAR-201708-1118

Vulnerability from variot - Updated: 2023-12-18 12:02

A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server. plural Westermo The product contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. A number of Westermo routers have a hard-coded password vulnerability, and the device uses a hard-coded private key that allows an attacker to decrypt traffic from any other source. The RD-305-DIN, MRD-315, MRD-355, and MRD-455 are all Westermo router devices. A number of Westermo routers have spoofing vulnerabilities. A hard-coded credentials vulnerability 2. A cross-site request forgery vulnerability 3. A hard-coded cryptographic key vulnerability Attackers can exploit these issues to bypass authentication mechanisms, to perform unauthorized actions and gain access to the affected application and to read and modify intercepted traffic. Westermo MRD-305-DIN etc. A remote attacker could exploit this vulnerability to perform unauthorized operations. The following products and versions are affected: Westermo MRD-305-DIN prior to 1.7.5.0, MRD-315 prior to 1.7.5.0, MRD-355 prior to 1.7.5.0, MRD-455 prior to 1.7.5.0

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201708-1118",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "mrd-315-din",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "westermo",
        "version": null
      },
      {
        "model": "mrd-455-din",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "westermo",
        "version": null
      },
      {
        "model": "mrd-355-din",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "westermo",
        "version": null
      },
      {
        "model": "mrd-305-din",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "westermo",
        "version": null
      },
      {
        "model": "mrd-305-din",
        "scope": "lt",
        "trust": 1.2,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-315",
        "scope": "lt",
        "trust": 1.2,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-355",
        "scope": "lt",
        "trust": 1.2,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-455",
        "scope": "lt",
        "trust": 1.2,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-305-din",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-315",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-355",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-455",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-455",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-355",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-315",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-305-din",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.5.0"
      },
      {
        "model": "mrd-455",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.7.0"
      },
      {
        "model": "mrd-355",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.7.0"
      },
      {
        "model": "mrd-315",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.7.0"
      },
      {
        "model": "mrd-305-din",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "westermo",
        "version": "1.7.7.0"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "mrd 305 din",
        "version": null
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "mrd 315 din",
        "version": null
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "mrd 355 din",
        "version": null
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "mrd 455 din",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "BID",
        "id": "100470"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-305-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-305-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-315-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-315-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-355-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-355-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-455-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-455-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Mandar Jadhav from Qualys Security",
    "sources": [
      {
        "db": "BID",
        "id": "100470"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2017-12703",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2017-12703",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 9.4,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2017-23002",
            "impactScore": 9.2,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2017-23004",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-103252",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2017-12703",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2017-12703",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-23002",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-23004",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201708-1141",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "IVD",
            "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39",
            "trust": 0.2,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-103252",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "VULHUB",
        "id": "VHN-103252"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server. plural Westermo The product contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. A number of Westermo routers have a hard-coded password vulnerability, and the device uses a hard-coded private key that allows an attacker to decrypt traffic from any other source. The RD-305-DIN, MRD-315, MRD-355, and MRD-455 are all Westermo router devices. A number of Westermo routers have spoofing vulnerabilities. A hard-coded credentials vulnerability\n2. A cross-site request forgery vulnerability\n3. A hard-coded cryptographic key vulnerability\nAttackers can exploit these issues to bypass authentication mechanisms, to perform unauthorized actions and gain access to the affected application and to read and modify intercepted traffic. Westermo MRD-305-DIN etc. A remote attacker could exploit this vulnerability to perform unauthorized operations. The following products and versions are affected: Westermo MRD-305-DIN prior to 1.7.5.0, MRD-315 prior to 1.7.5.0, MRD-355 prior to 1.7.5.0, MRD-455 prior to 1.7.5.0",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "BID",
        "id": "100470"
      },
      {
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "db": "VULHUB",
        "id": "VHN-103252"
      }
    ],
    "trust": 3.24
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "ICS CERT",
        "id": "ICSA-17-236-01",
        "trust": 4.0
      },
      {
        "db": "NVD",
        "id": "CVE-2017-12703",
        "trust": 3.6
      },
      {
        "db": "BID",
        "id": "100470",
        "trust": 3.2
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141",
        "trust": 0.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002",
        "trust": 0.6
      },
      {
        "db": "IVD",
        "id": "471C06F6-CD0E-48EC-8EE9-AEA833E36D39",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-103252",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "VULHUB",
        "id": "VHN-103252"
      },
      {
        "db": "BID",
        "id": "100470"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "id": "VAR-201708-1118",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "VULHUB",
        "id": "VHN-103252"
      }
    ],
    "trust": 2.243055575
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS",
          "Network device"
        ],
        "sub_category": null,
        "trust": 1.2
      },
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:02:37.634000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Wireless routers",
        "trust": 0.8,
        "url": "http://www.westermo.us/web/web_en_idc_us.nsf/alldocuments/b84901de5cc4368dc12578930031f1bc"
      },
      {
        "title": "Patches for several Westermo router hardcoded password vulnerabilities",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/100885"
      },
      {
        "title": "Patches for multiple Westermo router spoofing vulnerabilities",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/100887"
      },
      {
        "title": "Multiple Westermo Fixing measures for device cross-site request forgery vulnerability",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=74299"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-352",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-103252"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 4.0,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-17-236-01"
      },
      {
        "trust": 2.9,
        "url": "http://www.securityfocus.com/bid/100470"
      },
      {
        "trust": 0.9,
        "url": "http://www.westermo.com/"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12703"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-12703"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "VULHUB",
        "id": "VHN-103252"
      },
      {
        "db": "BID",
        "id": "100470"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "db": "VULHUB",
        "id": "VHN-103252"
      },
      {
        "db": "BID",
        "id": "100470"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-08-26T00:00:00",
        "db": "IVD",
        "id": "471c06f6-cd0e-48ec-8ee9-aea833e36d39"
      },
      {
        "date": "2017-08-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "date": "2017-08-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "date": "2017-08-25T00:00:00",
        "db": "VULHUB",
        "id": "VHN-103252"
      },
      {
        "date": "2017-08-24T00:00:00",
        "db": "BID",
        "id": "100470"
      },
      {
        "date": "2017-09-15T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "date": "2017-08-25T16:29:00.237000",
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "date": "2017-08-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-08-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-23002"
      },
      {
        "date": "2017-08-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-23004"
      },
      {
        "date": "2017-08-29T00:00:00",
        "db": "VULHUB",
        "id": "VHN-103252"
      },
      {
        "date": "2019-04-15T18:00:00",
        "db": "BID",
        "id": "100470"
      },
      {
        "date": "2017-09-15T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      },
      {
        "date": "2017-08-29T17:01:31.300000",
        "db": "NVD",
        "id": "CVE-2017-12703"
      },
      {
        "date": "2019-04-16T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote or local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  Westermo Product cross-site request forgery vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-007294"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "cross-site request forgery",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201708-1141"
      }
    ],
    "trust": 0.6
  }
}

FKIE_CVE-2017-12703

Vulnerability from fkie_nvd - Published: 2017-08-25 16:29 - Updated: 2025-04-20 01:37

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/100470	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100470	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
westermo	mrd-305-din_firmware	-
westermo	mrd-305-din	-
westermo	mrd-315-din_firmware	-
westermo	mrd-315-din	-
westermo	mrd-355-din_firmware	-
westermo	mrd-355-din	-
westermo	mrd-455-din_firmware	-
westermo	mrd-455-din	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:westermo:mrd-305-din_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "12D52093-D913-47EA-80F1-927355BB543F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:westermo:mrd-305-din:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B9962B99-63CF-489E-95B4-A26F851F64E6",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:westermo:mrd-315-din_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "53BB09CA-7887-4422-BB7F-2B6FEFDD81A4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:westermo:mrd-315-din:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7E32165-E272-4ADD-B14F-585950E25A7C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:westermo:mrd-355-din_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED01C8B2-2A75-4420-8156-F7B53C50E269",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:westermo:mrd-355-din:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5305D4F0-10A0-4B6A-97B2-C49EE527088E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:westermo:mrd-455-din_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7777DED-BF73-4512-813E-2F858D787DB9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:westermo:mrd-455-din:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B043DE84-41F2-4AE2-8254-275FDED1ED77",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema de Cross-Site Request Forgery (CSRF) en Westermo MRD-305-DIN en versiones anteriores a la 1.7.5.0, y MRD-315, MRD-355, MRD-455 en versiones anteriores a la 1.7.5.0. La aplicaci\u00f3n no verifica si una petici\u00f3n ha sido proporcionada intencionadamente por el usuario, lo que posibilita que un atacante enga\u00f1e a un usuario para que realice una petici\u00f3n maliciosa al servidor."
    }
  ],
  "id": "CVE-2017-12703",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-08-25T16:29:00.237",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100470"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100470"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2017-12703

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-12703

Aliases

CVE-2017-12703

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-12703",
    "description": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server.",
    "id": "GSD-2017-12703"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-12703"
      ],
      "details": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server.",
      "id": "GSD-2017-12703",
      "modified": "2023-12-13T01:21:03.495294Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2017-12703",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CSRF"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"
          },
          {
            "name": "100470",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/100470"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-305-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-305-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-315-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-315-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-355-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-355-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:westermo:mrd-455-din_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:westermo:mrd-455-din:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-12703"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"
            },
            {
              "name": "100470",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/100470"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2017-08-29T17:01Z",
      "publishedDate": "2017-08-25T16:29Z"
    }
  }
}

CNVD-2017-23004

Vulnerability from cnvd - Published: 2017-08-26

Title

多款Westermo路由器欺骗漏洞

Description

RD-305-DIN、MRD-315、MRD-355、MRD-455都是Westermo的路由器设备。多款Westermo路由器存在欺骗漏洞，由于程序未验证用户是否有意提供请求，从而使攻击者有可能欺骗用户向服务器发出恶意请求。

Severity

高

Patch Name

多款Westermo路由器欺骗漏洞的补丁

Patch Description

RD-305-DIN、MRD-315、MRD-355、MRD-455都是Westermo的路由器设备。多款Westermo路由器存在欺骗漏洞，由于程序未验证用户是否有意提供请求，从而使攻击者有可能欺骗用户向服务器发出恶意请求。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁已修复这个安全问题，请到厂商的主页下载： http://www.westermo.com

Reference

https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01 http://www.securityfocus.com/bid/100470

Impacted products

Name
['Westermo MRD-305-DIN <1.7.5.0', 'Westermo MRD-315 <1.7.5.0', 'Westermo MRD-355 <1.7.5.0', 'Westermo MRD-455 <1.7.5.0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "100470"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12703"
    }
  },
  "description": "RD-305-DIN\u3001MRD-315\u3001MRD-355\u3001MRD-455\u90fd\u662fWestermo\u7684\u8def\u7531\u5668\u8bbe\u5907\u3002\r\n\r\n\u591a\u6b3eWestermo\u8def\u7531\u5668\u5b58\u5728\u6b3a\u9a97\u6f0f\u6d1e\uff0c\u7531\u4e8e\u7a0b\u5e8f\u672a\u9a8c\u8bc1\u7528\u6237\u662f\u5426\u6709\u610f\u63d0\u4f9b\u8bf7\u6c42\uff0c\u4ece\u800c\u4f7f\u653b\u51fb\u8005\u6709\u53ef\u80fd\u6b3a\u9a97\u7528\u6237\u5411\u670d\u52a1\u5668\u53d1\u51fa\u6076\u610f\u8bf7\u6c42\u3002",
  "discovererName": "Mandar Jadhav from Qualys Security",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u5df2\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://www.westermo.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-23004",
  "openTime": "2017-08-26",
  "patchDescription": "RD-305-DIN\u3001MRD-315\u3001MRD-355\u3001MRD-455\u90fd\u662fWestermo\u7684\u8def\u7531\u5668\u8bbe\u5907\u3002\r\n\r\n\u591a\u6b3eWestermo\u8def\u7531\u5668\u5b58\u5728\u6b3a\u9a97\u6f0f\u6d1e\uff0c\u7531\u4e8e\u7a0b\u5e8f\u672a\u9a8c\u8bc1\u7528\u6237\u662f\u5426\u6709\u610f\u63d0\u4f9b\u8bf7\u6c42\uff0c\u4ece\u800c\u4f7f\u653b\u51fb\u8005\u6709\u53ef\u80fd\u6b3a\u9a97\u7528\u6237\u5411\u670d\u52a1\u5668\u53d1\u51fa\u6076\u610f\u8bf7\u6c42\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eWestermo\u8def\u7531\u5668\u6b3a\u9a97\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Westermo MRD-305-DIN \u003c1.7.5.0",
      "Westermo MRD-315 \u003c1.7.5.0",
      "Westermo MRD-355 \u003c1.7.5.0",
      "Westermo MRD-455 \u003c1.7.5.0"
    ]
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01\r\nhttp://www.securityfocus.com/bid/100470",
  "serverity": "\u9ad8",
  "submitTime": "2017-08-03",
  "title": "\u591a\u6b3eWestermo\u8def\u7531\u5668\u6b3a\u9a97\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-12703 (GCVE-0-2017-12703)

GHSA-MM9P-VHG8-49HJ

ICSA-17-236-01

VAR-201708-1118

FKIE_CVE-2017-12703

GSD-2017-12703

CNVD-2017-23004

Tags

Sightings

Nomenclature