Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:09166495
HistorySep 11, 2020 - 12:00 a.m.

JVN#09166495: Multiple vulnerabilities in Buffalo AirStation WHR-G54S

2020-09-1100:00:00
Japan Vulnerability Notes
jvn.jp
34

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

47.1%

JSON

Buffalo AirStation WHR-G54S contains multiple vulnerabilities listed below.

Directory Traversal - CVE-2020-5605

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Base Score: 4.1
CVSS v2 AV:A/AC:L/Au:S/C:P/I:N/A:N Base Score: 2.7

Cross-site Scripting - CVE-2020-5606

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • An attacker who is logged in to the product may access sensitive information such as setting values - CVE-2020-5605
  • When a user who is logged in to the product accesses a specially crafted page, an arbitrary script may be executed on the user’s web browser - CVE-2020-5606

Solution

Apply a workaround
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

  • Log off when the setting screen is not being used
    • This product is designed to log off automatically when the setting screen is not operated for 5 minutes
  • Do not check other web pages while logged in to the setting screen
  • Change the default password
    Do not use the product
    According to the developer, the product is no longer supported and it is recommended for the users to use alternative products.
    Please refer to the information provided by the developer for more details.

Products Affected

  • WHR-G54S firmware 1.43 and earlier

Related

cve 2
cvelist 2
prion 2
nvd 2
cve
cve
CVE-2020-5606
2020-09-18 06:15:13
CVE-2020-5605
2020-09-18 06:15:13
cvelist
cvelist
CVE-2020-5606
2020-09-18 05:05:24
CVE-2020-5605
2020-09-18 05:05:24
prion
prion
Cross site scripting
2020-09-18 06:15:00
Directory traversal
2020-09-18 06:15:00
nvd
nvd
CVE-2020-5606
2020-09-18 06:15:13
CVE-2020-5605
2020-09-18 06:15:13

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

47.1%

JSON
Related for JVN:09166495
cve2cvelist2prion2nvd2