JVN#09166495
Multiple vulnerabilities in Buffalo AirStation WHR-G54S

Overview

Buffalo AirStation WHR-G54S contains multiple vulnerabilities.

Products Affected

• WHR-G54S firmware 1.43 and earlier

Description

Buffalo AirStation WHR-G54S contains multiple vulnerabilities listed below.

• Directory Traversal - CVE-2020-5605

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N	Base Score: 4.1
  CVSS v2	AV:A/AC:L/Au:S/C:P/I:N/A:N	Base Score: 2.7

• Cross-site Scripting - CVE-2020-5606

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

• An attacker who is logged in to the product may access sensitive information such as setting values - CVE-2020-5605
• When a user who is logged in to the product accesses a specially crafted page, an arbitrary script may be executed on the user's web browser - CVE-2020-5606

Solution

Apply a workaround
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

• Log off when the setting screen is not being used
  • This product is designed to log off automatically when the setting screen is not operated for 5 minutes
• Do not check other web pages while logged in to the setting screen
• Change the default password