ICSA-21-280-05
Vulnerability from csaf_cisa - Published: 2021-10-07 00:00 - Updated: 2021-11-30 00:00Summary
InHand Networks IR615 Router (Update A)
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities may allow an attacker to have full control over the product, remotely perform actions on the product, intercept communication and steal sensitive information, session hijacking, and successful brute-force against user passwords. Additional successful exploitation may allow for the uploading of malicious files, deletion of system files, execution of remote code, and enumeration of user accounts and passwords.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
United States
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target these vulnerabilities.
{
"document": {
"acknowledgments": [
{
"names": [
"Haviv Vaizman",
"Hay Mizrachi",
"Alik Koldobsky",
"Ofir Manzur",
"Nikolay Sokolik"
],
"organization": "OTORIO",
"summary": "reporting these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities may allow an attacker to have full control over the product, remotely perform actions on the product, intercept communication and steal sensitive information, session hijacking, and successful brute-force against user passwords. Additional successful exploitation may allow for the uploading of malicious files, deletion of system files, execution of remote code, and enumeration of user accounts and passwords.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Multiple",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "United States",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-21-280-05 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-280-05.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-21-280-05 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-280-05"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "InHand Networks IR615 Router (Update A)",
"tracking": {
"current_release_date": "2021-11-30T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-21-280-05",
"initial_release_date": "2021-10-07T00:00:00.000000Z",
"revision_history": [
{
"date": "2021-10-07T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-21-280-05 InHand Networks IR615 Router"
},
{
"date": "2021-11-30T00:00:00.000000Z",
"legacy_version": "A",
"number": "2",
"summary": "ICSA-21-280-05 InHand Networks IR615 Router (Update A)"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 2.3.0.r5417",
"product": {
"name": "IR615 Router: Versions 2.3.0.r5417 and prior",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "IR615 Router"
}
],
"category": "vendor",
"name": "InHand Networks"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-38472",
"cwe": {
"id": "CWE-1021",
"name": "Improper Restriction of Rendered UI Layers or Frames"
},
"notes": [
{
"category": "summary",
"text": "The affected product \u0027s management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router \u0027s management portal and could lure the administrator to perform changes.CVE-2021-38472 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38472"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38486",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"category": "summary",
"text": "The vendor\u0027s cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected.CVE-2021-38486 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38486"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38480",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "summary",
"text": "The affected product is vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker to remotely perform actions on the router \u0027s management portal, such as making configuration changes, changing administrator credentials, and running system commands on the router.CVE-2021-38480 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38480"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38464",
"cwe": {
"id": "CWE-326",
"name": "Inadequate Encryption Strength"
},
"notes": [
{
"category": "summary",
"text": "The affected product has inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session.CVE-2021-38464 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38464"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38474",
"cwe": {
"id": "CWE-307",
"name": "Improper Restriction of Excessive Authentication Attempts"
},
"notes": [
{
"category": "summary",
"text": "The affected product has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface.CVE-2021-38474 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38474"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38484",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "summary",
"text": "The affected product does not have a filter or signature check to detect or prevent an upload of malicious files to the server, which may allow an attacker, acting as an administrator, to upload malicious files. This could result in cross-site scripting, deletion of system files, and remote code execution.CVE-2021-38484 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38484"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38466",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The affected product does not perform sufficient input validation on client requests from the help page. This may allow an attacker to perform a reflected cross-site scripting attack, which could allow an attacker to run code on behalf of the client browser.CVE-2021-38466 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38466"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38470",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The affected product is vulnerable to an attacker using a ping tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device.CVE-2021-38470 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38470"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38478",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The affected product is vulnerable to an attacker using a traceroute tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device.CVE-2021-38478 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38478"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38482",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The affected product \u0027s website used to control the router is vulnerable to stored cross-site scripting, which may allow an attacker to hijack sessions of users connected to the system.CVE-2021-38482 has been assigned to this vulnerability. A CVSS v3 base score of 8.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38482"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38468",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The affected product is vulnerable to stored cross-scripting, which may allow an attacker to hijack sessions of users connected to the system.CVE-2021-38468 has been assigned to this vulnerability. A CVSS v3 base score of 8.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38468"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38476",
"cwe": {
"id": "CWE-204",
"name": "Observable Response Discrepancy"
},
"notes": [
{
"category": "summary",
"text": "The affected product \u0027s authentication process response indicates and validates the existence of a username. This may allow an attacker to enumerate different user accounts.CVE-2021-38476 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38476"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2021-38462",
"cwe": {
"id": "CWE-521",
"name": "Weak Password Requirements"
},
"notes": [
{
"category": "summary",
"text": "The affected product does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf.CVE-2021-38462 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38462"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://inhandnetworks.com/product-security-advisories.html"
},
{
"category": "mitigation",
"details": "For additional information, please refer to InHand\u0027s Product Security Advisory InHand-PSA-2021-01",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202111/07/InHand-PSA-2021-01.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…