CVE-2021-37378 - OpenCVE

Cross Site Scripting (XSS) vulnerability in Teradek Cube and Cube Pro firmware version 7.3.x and earlier allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Teradke	Cube Pro Firmware Cube Firmware Cube Cube Pro

Configuration 1 [-]

AND

cpe:2.3:o:teradke:cube_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:teradke:cube:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:teradke:cube_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:teradke:cube_pro:-:*:*:*:*:*:*:*

References

Link	Resource
https://tbutler.org/2021/04/29/teradek-vulnerability-advisory	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-02-03T00:00:00

Updated: 2023-02-03T00:00:00

Reserved: 2021-07-21T00:00:00

Link: CVE-2021-37378

JSON object: View

NVD Information

Status : Modified

Published: 2023-02-03T18:15:13.267

Modified: 2024-05-17T01:59:12.753

Link: CVE-2021-37378

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:teradke:cube_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA5C0EF0-581A-4EED-90FA-D981019CA4BB", "versionEndIncluding": "7.3.19", "versionStartIncluding": "7.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:teradke:cube:-:*:*:*:*:*:*:*", "matchCriteriaId": "65D8E3C3-CCB2-4008-83B0-02C0149703E3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:teradke:cube_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3AF3F78-46DF-4164-822D-03C71869E534", "versionEndIncluding": "7.3.16", "versionStartIncluding": "7.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:teradke:cube_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "59B11148-DE46-4A83-8823-5E422F2386D8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in Teradek Cube and Cube Pro firmware version 7.3.x and earlier allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue."}], "id": "CVE-2021-37378", "lastModified": "2024-05-17T01:59:12.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-03T18:15:13.267", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://tbutler.org/2021/04/29/teradek-vulnerability-advisory"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}