PT-2021-22488 · Nexto+1 · Nexto Xpress Xp340+14
D. Teuchert
+1
·
Published
2021-08-23
·
Updated
2021-08-26
·
CVE-2021-39243
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Nexto NX3003 version 1.8.11.0
Nexto NX3004 version 1.8.11.0
Nexto NX3005 version 1.8.11.0
Nexto NX3010 version 1.8.3.0
Nexto NX3020 version 1.8.3.0
Nexto NX3030 version 1.8.3.0
Nexto NX5100 version 1.8.11.0
Nexto NX5101 version 1.8.11.0
Nexto NX5110 version 1.1.2.8
Nexto NX5210 version 1.1.2.8
Nexto Xpress XP300 version 1.8.11.0
Nexto Xpress XP315 version 1.8.11.0
Nexto Xpress XP325 version 1.8.11.0
Nexto Xpress XP340 version 1.8.11.0
Hadron Xtorm HX3040 version 1.7.58.0
Description
Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint.
Recommendations
As a temporary workaround, consider disabling access to any CGI endpoint until a patch is available.
Restrict access to the affected devices to minimize the risk of exploitation.
Avoid using the affected devices until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hadron Xtorm Hx3040
Nexto Nx3003
Nexto Nx3004
Nexto Nx3005
Nexto Nx3010
Nexto Nx3020
Nexto Nx3030
Nexto Nx5100
Nexto Nx5101
Nexto Nx5110
Nexto Nx5210
Nexto Xpress Xp300
Nexto Xpress Xp315
Nexto Xpress Xp325
Nexto Xpress Xp340