An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N
Vendors Products
Chiyu-tech
  • Biosense Firmware
  • Semac D4 Firmware
  • Bf-631 Firmware
  • Semac D2 N300 Firmware
  • Webpass
  • Semac D4
  • Semac S2 Firmware
  • Semac D1 Firmware
  • Semac S1 Osdp Firmware
  • Semac S3v3
  • Bf-631
  • Webpass Firmware
  • Semac D2 Firmware
  • Semac S3v3 Firmware
  • Semac S2
  • Semac S1 Osdp
  • Biosense
  • Semac D2
  • Bf-630 Firmware
  • Bf-630
  • Semac D1
  • Semac D2 N300

Configuration 1 [-]

AND
cpe:2.3:o:chiyu-tech:bf-631_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:bf-631:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:chiyu-tech:bf-630_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:bf-630:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:chiyu-tech:semac_s2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:semac_s2:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:chiyu-tech:semac_d1_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:semac_d1:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:chiyu-tech:semac_d2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:semac_d2:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:chiyu-tech:semac_d4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:semac_d4:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:chiyu-tech:semac_s3v3_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:semac_s3v3:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:chiyu-tech:semac_d2_n300_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:semac_d2_n300:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:chiyu-tech:semac_s1_osdp_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:semac_s1_osdp:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:chiyu-tech:webpass_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:webpass:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:chiyu-tech:biosense_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chiyu-tech:biosense:-:*:*:*:*:*:*:*
References
Link Resource
http://packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html Exploit Third Party Advisory VDB Entry
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643 Exploit Third Party Advisory
https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/ Exploit Third Party Advisory
https://www.chiyu-tech.com/msg/message-Firmware-update-87.html Vendor Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-06-01T14:16:12

Updated: 2021-06-01T16:06:15

Reserved: 2021-04-23T00:00:00

Link: CVE-2021-31643

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2021-06-01T15:15:07.747

Modified: 2021-06-08T20:33:15.690

Link: CVE-2021-31643

JSON object: View

cve-icon Redhat Information

No data.

CWE