PT-2024-24329 · Engenius · Engenius Esr580+1
Edward Warren
·
Published
2024-10-30
·
Updated
2024-11-04
·
CVE-2024-31975
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
EnGenius EWS356-Fit versions 1.1.30 and earlier
EnGenius ESR580 versions 1.1.30 and earlier
Description
The issue allows a remote attacker to conduct stored XSS attacks via the Wi-Fi SSID parameters. JavaScript embedded into a vulnerable field is executed when the user clicks the SSID field's corresponding EDIT button.
Recommendations
For EnGenius EWS356-Fit versions 1.1.30 and earlier, avoid using the Wi-Fi SSID parameters until a fix is available.
For EnGenius ESR580 versions 1.1.30 and earlier, consider restricting access to the EDIT button for the SSID field to minimize the risk of exploitation.
As a temporary workaround, consider disabling the execution of JavaScript in the SSID field until a patch is available.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Engenius Esr580
Engenius Ews356-Fit