CVE-2023-3332

EUVD-2023-44000

28.06.2023, 02:15

Improper Neutralization of Input During Web Page Generation vulnerability in NEC Corporation Aterm Aterm WG2600HP2, WG2600HP, WG2200HP, WG1800HP2, WG1800HP, WG1400HP, WG600HP, WG300HP, WF300HP, WR9500N, WR9300N, WR8750N, WR8700N, WR8600N, WR8370N, WR8175N and WR8170N all versions allows a attacker to 

execute an arbitrary script, after obtaining a high privilege exploiting CVE-2023-3330 and CVE-2023-3331 vulnerabilities.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
nec	aterm_wf300hp_firmware	-
nec	aterm_wg1400hp_firmware	-
nec	aterm_wg1800hp_firmware	-
nec	aterm_wg1800hp2_firmware	-
nec	aterm_wg2200hp_firmware	-
nec	aterm_wg2600hp_firmware	-
nec	aterm_wg2600hp2_firmware	-
nec	aterm_wg300hp_firmware	-
nec	aterm_wg600hp_firmware	-
nec	aterm_wr8600n_firmware	-
nec	aterm_wr8700n_firmware	-
nec	aterm_wr8750n_firmware	-
nec	aterm_wr9300n_firmware	-
nec	aterm_wr9500n_firmware	-
nec	aterm_wr8170n_firmware	-
nec	aterm_wr8175n_firmware	-
nec	aterm_wr8370n_firmware	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://https://jpn.nec.com/security-info/secinfo/nv23-007_en.html