Vulnerability-Lookup

CNVD-2016-00143

Vulnerability from cnvd - Published: 2016-01-11

Title

Freebox OS Web interface跨站脚本漏洞

Description

Freebox OS Web interface是一个ADSL调制解调器（Freebox）操作系统的Web接口。 Freebox OS Web interface 3.0.2版本中存在跨站脚本漏洞，该漏洞源于程序未充分过滤用户提交的输入。当用户浏览受影响的网站时，其浏览器将执行攻击者提供的任意脚本代码。这可能导致攻击者窃取基于cookie的身份验证并发起其它攻击。

Severity

中

Patch Name

Freebox OS Web interface跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： http://mafreebox.freebox.fr/

Reference

http://www.securityfocus.com/bid/74936

Impacted products

Name
Freebox Freebox OS Web interface 3.0.2

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "74936"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-9405"
    }
  },
  "description": "Freebox OS Web interface\u662f\u4e00\u4e2aADSL\u8c03\u5236\u89e3\u8c03\u5668\uff08Freebox\uff09\u64cd\u4f5c\u7cfb\u7edf\u7684Web\u63a5\u53e3\u3002\r\n\r\nFreebox OS Web interface 3.0.2\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5145\u5206\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u5f53\u7528\u6237\u6d4f\u89c8\u53d7\u5f71\u54cd\u7684\u7f51\u7ad9\u65f6\uff0c\u5176\u6d4f\u89c8\u5668\u5c06\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u8fd9\u53ef\u80fd\u5bfc\u81f4\u653b\u51fb\u8005\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u9a8c\u8bc1\u5e76\u53d1\u8d77\u5176\u5b83\u653b\u51fb\u3002",
  "discovererName": "DAU Huy Ngoc",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://mafreebox.freebox.fr/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-00143",
  "openTime": "2016-01-11",
  "patchDescription": "Freebox OS Web interface\u662f\u4e00\u4e2aADSL\u8c03\u5236\u89e3\u8c03\u5668\uff08Freebox\uff09\u64cd\u4f5c\u7cfb\u7edf\u7684Web\u63a5\u53e3\u3002\r\n\r\nFreebox OS Web interface 3.0.2\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u5145\u5206\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\u3002\u5f53\u7528\u6237\u6d4f\u89c8\u53d7\u5f71\u54cd\u7684\u7f51\u7ad9\u65f6\uff0c\u5176\u6d4f\u89c8\u5668\u5c06\u6267\u884c\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u8fd9\u53ef\u80fd\u5bfc\u81f4\u653b\u51fb\u8005\u7a83\u53d6\u57fa\u4e8ecookie\u7684\u8eab\u4efd\u9a8c\u8bc1\u5e76\u53d1\u8d77\u5176\u5b83\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Freebox OS Web interface\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Freebox Freebox OS Web interface 3.0.2"
  },
  "referenceLink": "http://www.securityfocus.com/bid/74936",
  "serverity": "\u4e2d",
  "submitTime": "2016-01-08",
  "title": "Freebox OS Web interface\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2014-9405 (GCVE-0-2014-9405)

Vulnerability from cvelistv5 – Published: 2020-01-06 21:16 – Updated: 2024-08-06 13:40

Summary

A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

4 references

URL	Tags
http://packetstormsecurity.com/files/132121/FreeB…	x_refsource_MISC
http://www.securityfocus.com/bid/74936	x_refsource_MISC
http://seclists.org/fulldisclosure/2015/Jun/1	x_refsource_MISC
http://www.securityfocus.com/archive/1/535660/100…	x_refsource_MISC

Date Public

2015-06-01 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T13:40:25.043Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/132121/FreeBox-3.0.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/74936"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2015/Jun/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/535660/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-06-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-06T21:16:38.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/132121/FreeBox-3.0.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.securityfocus.com/bid/74936"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2015/Jun/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.securityfocus.com/archive/1/535660/100/0/threaded"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-9405",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://packetstormsecurity.com/files/132121/FreeBox-3.0.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/132121/FreeBox-3.0.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
            },
            {
              "name": "http://www.securityfocus.com/bid/74936",
              "refsource": "MISC",
              "url": "http://www.securityfocus.com/bid/74936"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2015/Jun/1",
              "refsource": "MISC",
              "url": "http://seclists.org/fulldisclosure/2015/Jun/1"
            },
            {
              "name": "http://www.securityfocus.com/archive/1/535660/100/0/threaded",
              "refsource": "MISC",
              "url": "http://www.securityfocus.com/archive/1/535660/100/0/threaded"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2014-9405",
    "datePublished": "2020-01-06T21:16:38.000Z",
    "dateReserved": "2014-12-17T00:00:00.000Z",
    "dateUpdated": "2024-08-06T13:40:25.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-00143

CVE-2014-9405 (GCVE-0-2014-9405)

Tags

Sightings

Nomenclature