Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29127
HistoryMar 03, 2013 - 12:00 a.m.

Stored Cross-site Scripting ('XSS') in Airvana HubBub C1-600-RT Femtocell

2013-03-0300:00:00
vulners.com
22
JSON

Advisory ID: NEOCAN-2013-002
Advisory Title: Stored XSS ('cross-site scripting') in Airvana HubBub C1-600-RT router
Author: Scott Behrens / [email protected]
Release Date: 02/27/2013
Vendor: Airvana
Application: Airrave 2.5 router administration page
Platform: Web Application
Severity: Medium
Vendor status: No response from vendor
CVE Number: CVE-2013-2270
Reference: 004

Overview:

A stored cross-site scripting vulnerability was discovered in the Airrave 2.5 router. An attacker that exploits this attack may use it to execute malicious JavaScript against a victim or trigger a browser exploit. The attack requires

that the victim is authenticated to the device.

Vendor Response:

Vendor was contacted first via email on January 17th, 2013. Researcher did not receive a response when using the 'online form' which was the only publically available email on the company’s website.

Vendor was then contacted via telephone on the following dates: January 25th, February 7th, February 12th. A 'support operator' filed the ticket and informed the researcher a technician would call them back. No technician ever followed

up to the calls.

Recommendation:

Ensure data controlled input is html encoded or escaped. Perform content filtering on user control data for special characters or symbols.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues:

CVE-2013-2270

These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Common Weakness Enumeration (CWE) Information:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

http://cwe.mitre.org/data/definitions/79.html

--------Neohapsis Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
[email protected]

NeohapsisVulnerability Research GPG Key:
http://www.neohapsis.com/assets/NeohapsisVulnerabilityResearch-PUB.asc

Copyright (c) 2013 Neohapsis

Related

prion 1
securityvulns 1
cve 1
prion
prion
Cross site scripting
2014-03-09 13:16:00
securityvulns
securityvulns
Airvana HubBub routers crossite scripting
2013-03-03 00:00:00
cve
cve
CVE-2013-2270
2014-03-09 13:16:00
JSON
Related for SECURITYVULNS:DOC:29127
prion1securityvulns1cve1