JVN#44166658
Multiple vulnerabilities in ELECOM wireless LAN routers

Overview

Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities.

Products Affected

• WRC-1167GS2-B v1.67 and earlier
• WRC-1167GS2H-B v1.67 and earlier
• WRC-2533GS2-B v1.62 and earlier
• WRC-2533GS2-W v1.62 and earlier
• WRC-2533GS2V-B v1.62 and earlier
• WRC-X3200GST3-B v1.25 and earlier
• WRC-G01-W v1.24 and earlier

Description

Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.

• Cross-site Scripting (CWE-79) - CVE-2024-21798

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	Base Score: 4.8
  CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

• Cross-Site Request Forgery (CWE-352) - CVE-2024-23910

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

• Assume that a malicious administrative user configures the affected product with specially crafted content. When another administrative user logs in and operates the product, an arbitrary script may be executed on the web browser - CVE-2024-21798
• If an administrative user logs in to the affected product and views a malicious page, it may trick the user to perform unintended operations to the affected product - CVE-2024-23910

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.