4.8

CVE-2018-0679

Cross-site scripting vulnerability in multiple FXC Inc. network devices (Managed Ethernet switch FXC5210/5218/5224 firmware prior to version Ver1.00.22, Managed Ethernet switch FXC5426F firmware prior to version Ver1.00.06, Managed Ethernet switch FXC5428 firmware prior to version Ver1.00.07, Power over Ethernet (PoE) switch FXC5210PE/5218PE/5224PE firmware prior to version Ver1.00.14, and Wireless LAN router AE1021/AE1021PE firmware all versions) allows attacker with administrator rights to inject arbitrary web script or HTML via the administrative page.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FxcFxc5210 Firmware Version < 1.00.22
   FxcFxc5210 Version-
FxcFxc5218 Firmware Version < 1.00.22
   FxcFxc5218 Version-
FxcFxc5224 Firmware Version < 1.00.22
   FxcFxc5224 Version-
FxcFxc5426f Firmware Version < 1.00.06
   FxcFxc5426f Version-
FxcFxc5428 Firmware Version < 1.00.07
   FxcFxc5428 Version-
FxcFxc5210pe Firmware Version < 1.00.14
   FxcFxc5210pe Version-
FxcFxc5218pe Firmware Version < 1.00.14
   FxcFxc5218pe Version-
FxcFxc5224pe Firmware Version < 1.00.14
   FxcFxc5224pe Version-
FxcAe1021 Firmware
   FxcAe1021 Version-
FxcAe1021pe Firmware
   FxcAe1021pe Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.449
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.8 1.7 2.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.fxc.jp/news/20171228.html
Vendor Advisory
Mitigation