VAR-201403-0345
Vulnerability from variot - Updated: 2025-04-13 23:23Multiple cross-site scripting (XSS) vulnerabilities in the SFR Box router with firmware NB6-MAIN-R3.3.4 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) dns, (2) dhcp, (3) nat, (4) route, or (5) lan in network/; or (6) wifi/config. The SFR Box router is a router device. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. SFR BOX NB6-MAIN-R3.3.4 is vulnerable; other versions may also be affected. CVE-2014-1599 39 Type-1 XSS in SFR ADSL/Fiber Box. SFR is the french Vodafone (estimated DSL user base of 5.2 Million).
-
affected product: SFR BOX NB6-MAIN-R3.3.4
-
vulnerabilities: /network/dns 5 non-filtered Type-1 XSS /network/dhcp 6 non-filtered Type-1 XSS /network/nat 7 non-filtered Type-1 XSS /network/route 12 non-filtered Type-1 XSS /wifi/config 1 non-filtered Type-1 XSS /network/lan 8 non-filtered Type-1 XSS
-
exploitation hypotheses:
- user already logged-in (or tricked by SE techniques to authenticate)
- ip address of the SFR Box router is known (most users use the default settings: 192.168.1.1/24)
-
number of attack vectors:
39 Type-1 XSS
-
exploitation scenario: If a user is tricked into authenticating into its interface, an attacker can XSS the user, and thus getting read and write access to the router configuration webpages. Such as scenario is mainly possible due to:
- non filtered reflections (mainly Type-1 / reflected)
- lack of Content Security Policy Moreover, no anti-CSRF token such as view-states are present, thus there is the possibility of modifying the routing tables even without an XSS, if the user is authenticated in the box.
A non limitative list of actions include: - getting authentication credentials (wireless, DSL credentials) - rebooting the router - modifying the route table (thus possibility of content injection if an attacker controlled server is on the route) - DDOSing a target with numerous XSS'ed clients
- timeline:
- 2013-12-21: discovery
- 2014-01-06: notification to vendor, ask for patch release
- 2014-01-06: vendor acknowledges but does not answer on the patching timeframe
- 2014-01-20: request for update or planned date of patch release
- 2014-02-25: public disclosure
{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "box router",
"scope": "eq",
"trust": 1.6,
"vendor": "sfr",
"version": "nb6-main-r3.3.4"
},
{
"_id": null,
"model": "box router",
"scope": "eq",
"trust": 1.0,
"vendor": "sfr",
"version": null
},
{
"_id": null,
"model": "box",
"scope": null,
"trust": 0.8,
"vendor": "sfr",
"version": null
},
{
"_id": null,
"model": "box",
"scope": "eq",
"trust": 0.8,
"vendor": "sfr",
"version": "nb6-main-r3.3.4"
},
{
"_id": null,
"model": "box router nb6-main-r3.3.4",
"scope": null,
"trust": 0.6,
"vendor": "sfr",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01595"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-158"
},
{
"db": "NVD",
"id": "CVE-2014-1599"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:sfr:sfr_box_router",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:sfr:sfr_box_router_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
}
]
},
"credits": {
"_id": null,
"data": "alejandr0.w3b.p0wn3r",
"sources": [
{
"db": "BID",
"id": "65973"
},
{
"db": "PACKETSTORM",
"id": "125546"
}
],
"trust": 0.4
},
"cve": "CVE-2014-1599",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2014-1599",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2014-01595",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-69538",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-1599",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2014-1599",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2014-01595",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201403-158",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-69538",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01595"
},
{
"db": "VULHUB",
"id": "VHN-69538"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-158"
},
{
"db": "NVD",
"id": "CVE-2014-1599"
}
]
},
"description": {
"_id": null,
"data": "Multiple cross-site scripting (XSS) vulnerabilities in the SFR Box router with firmware NB6-MAIN-R3.3.4 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) dns, (2) dhcp, (3) nat, (4) route, or (5) lan in network/; or (6) wifi/config. The SFR Box router is a router device. \nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. \nSFR BOX NB6-MAIN-R3.3.4 is vulnerable; other versions may also be affected. CVE-2014-1599\n39 Type-1 XSS in SFR ADSL/Fiber Box. \nSFR is the french Vodafone (estimated DSL user base of 5.2 Million). \n\n* affected product:\nSFR BOX NB6-MAIN-R3.3.4\n\n* vulnerabilities:\n/network/dns\n\t5 non-filtered Type-1 XSS\n/network/dhcp\n\t6 non-filtered Type-1 XSS\n/network/nat\n\t7 non-filtered Type-1 XSS\n/network/route\n\t12 non-filtered Type-1 XSS\n/wifi/config\n\t1 non-filtered Type-1 XSS\n/network/lan\n\t8 non-filtered Type-1 XSS\n\n\n* exploitation hypotheses:\n\t- user already logged-in (or tricked by SE techniques to authenticate)\n\t- ip address of the SFR Box router is known (most users use the default\nsettings: 192.168.1.1/24)\n\n* #number of attack vectors:\n\t39 Type-1 XSS\n\t\t\n* exploitation scenario:\nIf a user is tricked into authenticating into its interface,\nan attacker can XSS the user, and thus getting read and write access to\nthe router configuration webpages. \nSuch as scenario is mainly possible due to:\n - non filtered reflections (mainly Type-1 / reflected)\n - lack of Content Security Policy\nMoreover, no anti-CSRF token such as view-states are present, thus there\nis the possibility of modifying the routing tables even without an XSS,\nif the user is authenticated in the box. \n\nA non limitative list of actions include:\n - getting authentication credentials (wireless, DSL credentials)\n - rebooting the router\n - modifying the route table (thus possibility of content injection if\nan attacker controlled server is on the route)\n - DDOSing a target with numerous XSS\u0027ed clients\n\n* timeline:\n - 2013-12-21: discovery\n - 2014-01-06: notification to vendor, ask for patch release\n - 2014-01-06: vendor acknowledges but does not answer on the patching\ntimeframe\n - 2014-01-20: request for update or planned date of patch release\n - 2014-02-25: public disclosure\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-1599"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
},
{
"db": "CNVD",
"id": "CNVD-2014-01595"
},
{
"db": "BID",
"id": "65973"
},
{
"db": "VULHUB",
"id": "VHN-69538"
},
{
"db": "PACKETSTORM",
"id": "125546"
}
],
"trust": 2.61
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-69538",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-69538"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2014-1599",
"trust": 3.5
},
{
"db": "BID",
"id": "65973",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201403-158",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2014-01595",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20140305 CVE-2014-1599 - 39 TYPE-1 XSS IN SFR DSL/FIBER BOX",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "125546",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-69538",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01595"
},
{
"db": "VULHUB",
"id": "VHN-69538"
},
{
"db": "BID",
"id": "65973"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
},
{
"db": "PACKETSTORM",
"id": "125546"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-158"
},
{
"db": "NVD",
"id": "CVE-2014-1599"
}
]
},
"id": "VAR-201403-0345",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01595"
},
{
"db": "VULHUB",
"id": "VHN-69538"
}
],
"trust": 1.3666667
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01595"
}
]
},
"last_update_date": "2025-04-13T23:23:55.956000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.sfr.fr/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-69538"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
},
{
"db": "NVD",
"id": "CVE-2014-1599"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.0,
"url": "http://www.securityfocus.com/archive/1/archive/1/531349/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/65973"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/531349/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1599"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1599"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-1599"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01595"
},
{
"db": "VULHUB",
"id": "VHN-69538"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
},
{
"db": "PACKETSTORM",
"id": "125546"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-158"
},
{
"db": "NVD",
"id": "CVE-2014-1599"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01595",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-69538",
"ident": null
},
{
"db": "BID",
"id": "65973",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001600",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "125546",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201403-158",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2014-1599",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2014-03-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01595",
"ident": null
},
{
"date": "2014-03-09T00:00:00",
"db": "VULHUB",
"id": "VHN-69538",
"ident": null
},
{
"date": "2014-02-25T00:00:00",
"db": "BID",
"id": "65973",
"ident": null
},
{
"date": "2014-03-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001600",
"ident": null
},
{
"date": "2014-03-05T18:13:00",
"db": "PACKETSTORM",
"id": "125546",
"ident": null
},
{
"date": "2014-03-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201403-158",
"ident": null
},
{
"date": "2014-03-09T13:16:56.773000",
"db": "NVD",
"id": "CVE-2014-1599",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2014-03-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01595",
"ident": null
},
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-69538",
"ident": null
},
{
"date": "2014-04-08T00:48:00",
"db": "BID",
"id": "65973",
"ident": null
},
{
"date": "2014-03-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001600",
"ident": null
},
{
"date": "2014-03-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201403-158",
"ident": null
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2014-1599",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201403-158"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "SFR Box Router firmware cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001600"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "125546"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-158"
}
],
"trust": 0.7
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…