VAR-201411-0455
Vulnerability from variot - Updated: 2025-04-13 23:37Cross-site scripting (XSS) vulnerability in s_network.asp in the Denon AVR-3313CI audio/video receiver allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to Friendlyname. Authentication is not required to persist the attack. However, user interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within parameters used by s_network.asp which does not properly sanitize user-supplied data. Some parameter values are used on multiple pages and the injected JavaScript will therefore run when any user views any of those pages, including the portal's landing page. The Denon AVR-3313CI is a home theater amplifier. Denon AVR-3313CI 's_network.asp' has multiple HTML injection vulnerabilities because it does not properly filter user-supplied input. Other attacks are also possible
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "avr-3313ci",
"scope": "eq",
"trust": 1.6,
"vendor": "denon",
"version": null
},
{
"_id": null,
"model": "avr-3313ci",
"scope": null,
"trust": 1.3,
"vendor": "denon",
"version": null
},
{
"_id": null,
"model": "avr-3313ci",
"scope": null,
"trust": 0.8,
"vendor": "d m holdings",
"version": null
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-371"
},
{
"db": "CNVD",
"id": "CNVD-2014-08115"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-071"
},
{
"db": "NVD",
"id": "CVE-2014-8508"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:denon:avr-3313ci",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
}
]
},
"credits": {
"_id": null,
"data": "Ricky \"HeadlessZeke\" Lawshae of HP DVLabs",
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-371"
},
{
"db": "BID",
"id": "70892"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-071"
}
],
"trust": 1.6
},
"cve": "CVE-2014-8508",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2014-8508",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2014-8508",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2014-08115",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-8508",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2014-8508",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2014-8508",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2014-08115",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201411-071",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-371"
},
{
"db": "CNVD",
"id": "CNVD-2014-08115"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-071"
},
{
"db": "NVD",
"id": "CVE-2014-8508"
}
]
},
"description": {
"_id": null,
"data": "Cross-site scripting (XSS) vulnerability in s_network.asp in the Denon AVR-3313CI audio/video receiver allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to Friendlyname. Authentication is not required to persist the attack. However, user interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within parameters used by s_network.asp which does not properly sanitize user-supplied data. Some parameter values are used on multiple pages and the injected JavaScript will therefore run when any user views any of those pages, including the portal\u0027s landing page. The Denon AVR-3313CI is a home theater amplifier. Denon AVR-3313CI \u0027s_network.asp\u0027 has multiple HTML injection vulnerabilities because it does not properly filter user-supplied input. Other attacks are also possible",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-8508"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
},
{
"db": "ZDI",
"id": "ZDI-14-371"
},
{
"db": "CNVD",
"id": "CNVD-2014-08115"
},
{
"db": "BID",
"id": "70892"
}
],
"trust": 3.06
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2014-8508",
"trust": 4.0
},
{
"db": "ZDI",
"id": "ZDI-14-371",
"trust": 3.1
},
{
"db": "BID",
"id": "70892",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005261",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-2333",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2014-08115",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201411-071",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-371"
},
{
"db": "CNVD",
"id": "CNVD-2014-08115"
},
{
"db": "BID",
"id": "70892"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-071"
},
{
"db": "NVD",
"id": "CVE-2014-8508"
}
]
},
"id": "VAR-201411-0455",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08115"
}
],
"trust": 1.225
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08115"
}
]
},
"last_update_date": "2025-04-13T23:37:37.761000Z",
"patch": {
"_id": null,
"data": [
{
"title": "AVR-3313CI",
"trust": 0.8,
"url": "http://www.denon.jp/jp/Product/Pages/Product-Detail.aspx?Catid=9435625a-cc70-40e3-9319-d8e2db09de1f%20\u0026SubId=181cee58-952a-4135-969a-e2d2df6a4622\u0026ProductId=AVR-3313#.VFwzmWf5Qcs"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
},
{
"db": "NVD",
"id": "CVE-2014-8508"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.4,
"url": "http://www.zerodayinitiative.com/advisories/zdi-14-371/"
},
{
"trust": 2.2,
"url": "http://www.securityfocus.com/bid/70892"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8508"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8508"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08115"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005261"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-071"
},
{
"db": "NVD",
"id": "CVE-2014-8508"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "ZDI",
"id": "ZDI-14-371",
"ident": null
},
{
"db": "CNVD",
"id": "CNVD-2014-08115",
"ident": null
},
{
"db": "BID",
"id": "70892",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005261",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201411-071",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2014-8508",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2014-11-03T00:00:00",
"db": "ZDI",
"id": "ZDI-14-371",
"ident": null
},
{
"date": "2014-11-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-08115",
"ident": null
},
{
"date": "2014-11-04T00:00:00",
"db": "BID",
"id": "70892",
"ident": null
},
{
"date": "2014-11-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005261",
"ident": null
},
{
"date": "2014-11-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201411-071",
"ident": null
},
{
"date": "2014-11-06T15:55:10.100000",
"db": "NVD",
"id": "CVE-2014-8508",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2014-11-03T00:00:00",
"db": "ZDI",
"id": "ZDI-14-371",
"ident": null
},
{
"date": "2014-11-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-08115",
"ident": null
},
{
"date": "2014-11-04T00:00:00",
"db": "BID",
"id": "70892",
"ident": null
},
{
"date": "2014-11-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005261",
"ident": null
},
{
"date": "2014-11-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201411-071",
"ident": null
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2014-8508",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201411-071"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "Denon AVR-3313CI \u0027s_network.asp\u0027 Multiple HTML Injection Vulnerabilities",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08115"
},
{
"db": "BID",
"id": "70892"
}
],
"trust": 0.9
},
"type": {
"_id": null,
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201411-071"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…