JVN#38248512
Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2

Overview

Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities.

Products Affected

• Aterm WF800HP firmware all versions
• Aterm WG2600HP firmware Ver1.0.13 and earlier
• Aterm WG2600HP2 firmware Ver1.0.3 and earlier

Description

Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities listed below.

Aterm WF800HP:

• Cross-site Scripting (CWE-79) - CVE-2021-20620

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

• Improper Access Control (CWE-284) - CVE-2017-12575

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	Base Score: 7.5
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:N/A:N	Base Score: 4.3

• Cross-Site Request Forgery (CWE-352) - CVE-2021-20621

• CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

• Cross-site Scripting (CWE-79) - CVE-2021-20622

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

• An arbitrary script may be executed on the user's web browser - CVE-2021-20620
• A remote attacker may obtain and/or alter the settings stored in the device - CVE-2017-12575
• If a user accesses a specially crafted page while logged in, unintended operations may be performed - CVE-2021-20621
• An arbitrary script may be executed on the logged in user's web browser - CVE-2021-20622

Solution

Apply workaround
For the users of Aterm WF800HP:
Applying the following workaround may mitigate the impacts of the vulnerability.

• When accessing a website, use a URL obtained from a trusted source and register it to the bookmark. For subsequent accesses, use the URL registered in the bookmark.