JVN#17482543
Multiple vulnerabilities in multiple ELECOM LAN routers

Overview

Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities.

Products Affected

CVE-2022-21173

• WRH-300BK3 firmware v1.05 and earlier
• WRH-300WH3 firmware v1.05 and earlier
• WRH-300BK3-S firmware v1.05 and earlier
• WRH-300DR3-S firmware v1.05 and earlier
• WRH-300LB3-S firmware v1.05 and earlier
• WRH-300PN3-S firmware v1.05 and earlier
• WRH-300WH3-S firmware v1.05 and earlier
• WRH-300YG3-S firmware v1.05 and earlier

• WRC-300FEBK-R firmware v1.13 and earlier

Description

Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

• Hidden functionality (CWE-912) - CVE-2022-21173

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.8
  CVSS v2	AV:A/AC:L/Au:N/C:C/I:C/A:C	Base Score: 8.3

• Cross-site scripting (CWE-79) - CVE-2022-21799

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.2
  CVSS v2	AV:A/AC:M/Au:N/C:N/I:P/A:N	Base Score: 2.9

Impact

• A network-adjacent attacker may execute an arbitrary OS command - CVE-2022-21173
• An arbitrary script may be executed on a logged-in user's web browser - CVE-2022-21799

Solution

Apply the appropriate firmware update
Apply the appropriate firmware update according to the information provided by the developer.