PT-2022-8050 · Thomson · Thomson Tcw710

Moikano

Published

2022-06-12

Updated

2022-06-21

CVE-2018-25038

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Thomson TCW710 version ST5D.10.05

Description A problematic issue has been identified, affecting an unknown part of the file /goform/RgDhcp. The manipulation of the PppUserName argument with the input > as part of a POST Request leads to cross-site scripting (Persistent). This can be initiated remotely.

Recommendations For Thomson TCW710 version ST5D.10.05, as a temporary workaround, consider restricting access to the /goform/RgDhcp endpoint or disabling the manipulation of the PppUserName argument until a patch is available. Avoid using the PppUserName argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

CVE-2018-25038

Affected Products

Thomson Tcw710

PT-2022-8050 · Thomson · Thomson Tcw710

CVE-2018-25038

Weakness Enumeration

Related Identifiers

Affected Products

References · 5