JVN#68528150: Multiple FXC network devices vulnerable to cross-site scripting

Multiple network devices provided by FXC Inc. contain a stored cross-site scripting vulnerability (CWE-79).

Impact

If an attacker with administrative rights logs in the Management GUI and embeds a specially crafted script, then that script may be executed on another administrator’s web browser.

Solution

Solution for Managed Ethernet switch and Power over Ethernet (PoE) switch: Update the Firmware
Apply the appropriate firmware update according to the information provided by the developer.

Solution for Wireless LAN router: Apply Workaround
The following workaround may mitigate the impact of this vulnerability.

• Restrict access to Management CGI of the device. Permit access only to trusted administrators.

Products Affected

• Managed Ethernet switch FXC5210/5218/5224 firmware prior to version Ver1.00.22
• Managed Ethernet switch FXC5426F firmware prior to version Ver1.00.06
• Managed Ethernet switch FXC5428 firmware prior to version Ver1.00.07
• Power over Ethernet (PoE) switch FXC5210PE/5218PE/5224PE firmware prior to version Ver1.00.14
• Wireless LAN router AE1021/AE1021PE firmware all versions