Published:2018/02/20 Last Updated:2018/02/23
JVN#83834277
Multiple vulnerabilities in FS010W
Overview
FS010W provided by FUJI SOFT INCORPORATED contains multiple vulnerabilities.
Products Affected
- FS010W firmware FS010W_00_V1.3.0 and earlier
Description
FS010W provided by FUJI SOFT INCORPORATED is a WiFi router. FS010W contains multiple vulnerabilities listed below.
- Stored cross-site scripting (CWE-79) - CVE-2018-0519
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score: 4.3 CVSS v2 AV:A/AC:L/Au:S/C:N/I:P/A:N Base Score: 2.7 - Cross-site request forgery (CWE-352) - CVE-2018-0520
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Base Score: 7.1 CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0
Impact
The possible impact of each vulnerability is as follows:
- An arbitrary script may be executed on the web browser of a user who is logging in the setting tool of the device - CVE-2018-0519
- If a user views a malicious page while logged in the setting tool of the affected product, unintended operations such as changing settings of the device may be conducted. - CVE-2018-0520
Solution
Apply Workarounds
Applying all workarounds listed below may mitigate the impacts of these vulnerabilities.
- Change the initial login password set in the setting tool
- Do not access other websites while logged into the setting tool
- Close the web browser after completing settings of the device using the setting tool
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
FUJI SOFT INCORPORATED | Vulnerable | 2018/02/20 | FUJI SOFT INCORPORATED website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Manabu Kobayashi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2018-0519 |
CVE-2018-0520 |
|
JVN iPedia |
JVNDB-2018-000015 |
Update History
- 2018/02/23
- JVN iPedia link was added under the section [Other Information]