PT-2014-3717 · Technicolor · Technicolor Tc7200
Jeroen
·
Publicado
2014-01-08
·
Atualizado
2014-05-05
·
CVE-2014-0621
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Technicolor TC7200 version STD6.01.12
Description
The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of administrators for various requests, including performing a factory reset via a request to "goform/system/factory", disabling advanced options via a request to "goform/advanced/options", removing ip-filters via the
IpFilterAddressDelete1 parameter to "goform/advanced/ip-filters", or removing firewall settings via the cbFirewall parameter to "goform/advanced/firewall".Recommendations
For Technicolor TC7200 version STD6.01.12, as a temporary workaround, consider restricting access to the "goform/system/factory", "goform/advanced/options", "goform/advanced/ip-filters", and "goform/advanced/firewall" endpoints until a patch is available. Avoid using the
IpFilterAddressDelete1 and cbFirewall parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
CSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Technicolor Tc7200