CVE-2017-8332

Name of the Vulnerable Software and Affected Versions Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096

Description An issue was discovered where the device does not implement any cross-site scripting protection mechanism. This allows an attacker to trick a user who is logged in to the web management interface into executing a stored cross-site scripting payload on the user's browser, enabling the execution of any action on the device provided by the web management interface. The device provides a feature to block key words passing in the web traffic to prevent kids from watching content that might be deemed unsafe using the web management interface.

Recommendations For Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096, consider disabling the web management interface until a patch is available to prevent exploitation. Restrict access to the web management interface to minimize the risk of cross-site scripting attacks. Avoid using the web management interface for sensitive actions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.