CVE-2023-34354

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions peplink Surf SOHO HW1 version 6.3.5

Description A stored cross-site scripting (XSS) issue exists in the upload brand.cgi functionality. This allows an attacker to execute arbitrary javascript in another user's browser by making a specially crafted HTTP request. The request must be authenticated to trigger this issue.

Recommendations For version 6.3.5, consider disabling the upload brand.cgi functionality until a patch is available to prevent exploitation. Restrict access to this functionality to minimize the risk of arbitrary javascript execution in another user's browser.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

CVE-2023-34354

Affected Products

Peplink Surf Soho

CVE-2023-34354

Weakness Enumeration

Related Identifiers

Affected Products

References · 4