JVN#81966868
Multiple vulnerabilities in PLANEX COMMUNICATIONS network devices

Overview

Multiple network devices (network cameras and a router) provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities.

Products Affected

CVE-2024-45372

• MZK-DP300N firmware versions 1.04 and earlier

• CS-QR10 all firmware versions
• CS-QR20 all firmware versions
• CS-QR22 all firmware versions
• CS-QR220 all firmware versions
• CS-QR300 all firmware versions

Description

Multiple network devices (network cameras and a router) provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below.

• Cross-site request forgery (CWE-352)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L Base Score 7.1
  • CVE-2024-45372
• Cross-site scripting vulnerability in the web management page (CWE-79)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
  • CVE-2024-45836

Impact

• Viewing a malicious page while logging in to the web management page of the affected product may lead the user to perform unintended operations such as changing the login password, etc. (CVE-2024-45372)
• If a logged-in user accesses a specific file, an arbitrary script may be executed on the web browser of the user (CVE-2024-45836)

Solution

CVE-2024-45372
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

CVE-2024-45836
Stop using the web management page or the products themselves
The developer states that either the web management page of these products is an unsupported function or the affected products are no longer supported. Therefore, it is recommended that users should stop using the function or the affected products, and use alternative products.