PT-2024-8723 · Ozw772+1 · Ozw772+1
Paulo Mota
·
Published
2024-11-12
·
Updated
2024-11-15
·
CVE-2024-36140
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N |
Name of the Vulnerable Software and Affected Versions
OZW672 versions prior to V5.2
OZW772 versions prior to V5.2
Description
The issue is related to the lack of protection for the web page structure in the affected devices, allowing for stored cross-site scripting (XSS) attacks. This could enable an authenticated remote attacker to inject arbitrary JavaScript code, which would be executed by another authenticated user with potentially higher privileges. The user accounts tab of the affected devices is specifically vulnerable to such attacks.
Recommendations
For OZW672 versions prior to V5.2, update to version V5.2 or later to resolve the issue.
For OZW772 versions prior to V5.2, update to version V5.2 or later to resolve the issue.
As a temporary workaround, consider restricting access to the user accounts tab until a patch is available. Avoid using the user accounts tab in the affected devices until the issue is resolved.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ozw672
Ozw772