Vulnerabilites related to syrotech - sy-gpon-1110-wdont
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido al almacenamiento no cifrado de credenciales WPA/WPS dentro del firmware/base de datos del enrutador. Un atacante con acceso f\u00edsico podr\u00eda aprovechar esto extrayendo el firmware y aplicando ingenier\u00eda inversa a los datos binarios para acceder a las credenciales WPA/WPS en texto plano en el sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante eludir WPA/WPS y obtener acceso a la red Wi-Fi del sistema objetivo."
}
],
"id": "CVE-2024-41689",
"lastModified": "2024-11-21T09:32:58.750",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:03.490",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido a la falta de cifrado en el almacenamiento de nombres de usuario y contrase\u00f1as dentro del firmware/base de datos del enrutador. Un atacante con acceso f\u00edsico podr\u00eda aprovechar esto extrayendo el firmware y aplicando ingenier\u00eda inversa a los datos binarios para acceder a las credenciales en texto plano en el sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante obtener acceso no autorizado al sistema objetivo."
}
],
"id": "CVE-2024-41688",
"lastModified": "2024-11-21T09:32:58.603",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:03.370",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido a la falta de la etiqueta HTTPOnly para las cookies de sesi\u00f3n asociadas con la interfaz de administraci\u00f3n web del enrutador. Un atacante con acceso remoto podr\u00eda aprovechar esto interceptando la transmisi\u00f3n dentro de una sesi\u00f3n HTTP en el sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante capturar cookies y obtener informaci\u00f3n sensible en el sistema objetivo."
}
],
"id": "CVE-2024-41685",
"lastModified": "2024-11-21T09:32:58.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:02.977",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1004"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of default username and password credentials in plaintext within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext default credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of default username and password credentials in plaintext within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext default credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido al almacenamiento de credenciales de nombre de usuario y contrase\u00f1a predeterminadas en texto plano dentro del firmware/base de datos del enrutador. Un atacante con acceso f\u00edsico podr\u00eda aprovechar esto extrayendo el firmware y aplicando ingenier\u00eda inversa a los datos binarios para acceder a las credenciales predeterminadas en texto plano en el sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante obtener acceso no autorizado al sistema objetivo."
}
],
"id": "CVE-2024-41690",
"lastModified": "2024-11-21T09:32:58.903",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:03.623",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to improper implementation of password policies. A local attacker could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to improper implementation of password policies. A local attacker could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido a la implementaci\u00f3n incorrecta de pol\u00edticas de contrase\u00f1as. Un atacante local podr\u00eda aprovechar esto creando contrase\u00f1as que no cumplan con los est\u00e1ndares o pol\u00edticas de seguridad definidos en el sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante exponer el enrutador a posibles amenazas de seguridad."
}
],
"id": "CVE-2024-41686",
"lastModified": "2024-11-21T09:32:58.303",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:03.113",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-179"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido a la falta de un indicador de seguridad para las cookies de sesi\u00f3n asociadas con la interfaz de administraci\u00f3n web del enrutador. Un atacante con acceso remoto podr\u00eda aprovechar esto interceptando la transmisi\u00f3n dentro de una sesi\u00f3n HTTP en el sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante capturar cookies y comprometer el sistema objetivo."
}
],
"id": "CVE-2024-41684",
"lastModified": "2024-11-21T09:32:57.967",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:02.763",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-614"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router's firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router\u0027s firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido al almacenamiento de credenciales FTP en texto plano dentro del sistema de archivos SquashFS-root asociado con el firmware del enrutador. Un atacante con acceso f\u00edsico podr\u00eda aprovechar esto extrayendo el firmware y aplicando ingenier\u00eda inversa a los datos binarios para acceder a las credenciales FTP en texto plano del sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante obtener acceso no autorizado al servidor FTP asociado con el sistema objetivo."
}
],
"id": "CVE-2024-41691",
"lastModified": "2024-11-21T09:32:59.053",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:03.753",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 12:15
Modified
2024-11-21 09:32
Severity ?
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to transmission of password in plain text. A remote attacker could exploit this vulnerability by intercepting transmission within an HTTP session on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| syrotech | sy-gpon-1110-wdont_firmware | 3.1.02-231102 | |
| syrotech | sy-gpon-1110-wdont | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*",
"matchCriteriaId": "86741534-D753-4728-BA0B-AF4E5F911DF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85FA5240-DBBB-42C6-807F-59024B25269A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to transmission of password in plain text. A remote attacker could exploit this vulnerability by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
},
{
"lang": "es",
"value": "Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido a la transmisi\u00f3n de contrase\u00f1as en texto plano. Un atacante remoto podr\u00eda aprovechar esta vulnerabilidad interceptando la transmisi\u00f3n dentro de una sesi\u00f3n HTTP en el sistema vulnerable. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante obtener acceso no autorizado al sistema objetivo."
}
],
"id": "CVE-2024-41687",
"lastModified": "2024-11-21T09:32:58.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
}
]
},
"published": "2024-07-26T12:15:03.250",
"references": [
{
"source": "vdisclose@cert-in.org.in",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"sourceIdentifier": "vdisclose@cert-in.org.in",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "vdisclose@cert-in.org.in",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-41687 (GCVE-0-2024-41687)
Vulnerability from cvelistv5
Published
2024-07-26 11:50
Modified
2024-08-07 18:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to transmission of password in plain text. A remote attacker could exploit this vulnerability by intercepting transmission within an HTTP session on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "sy-gpon-1110-wdont_firmware",
"vendor": "syrotech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T18:57:36.782592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T18:59:05.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to transmission of password in plain text. A remote attacker could exploit this vulnerability by intercepting transmission within an HTTP session on the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to transmission of password in plain text. A remote attacker could exploit this vulnerability by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
}
],
"impacts": [
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117: Interception"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319: Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:41:37.227Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cleartext Transmission of Sensitive Information Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41687",
"datePublished": "2024-07-26T11:50:30.359Z",
"dateReserved": "2024-07-19T11:24:20.420Z",
"dateUpdated": "2024-08-07T18:59:05.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41686 (GCVE-0-2024-41686)
Vulnerability from cvelistv5
Published
2024-07-26 11:45
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-179 - Incorrect Behavior Order: Early Validation
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to improper implementation of password policies. A local attacker could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sy-gpon-1110-wdont_firmware",
"vendor": "syrotech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:50:35.786283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T13:51:46.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to improper implementation of password policies. A local attacker could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats."
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to improper implementation of password policies. A local attacker could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-179",
"description": "CWE-179: Incorrect Behavior Order: Early Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:40:12.035Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Password Policy Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41686",
"datePublished": "2024-07-26T11:45:18.109Z",
"dateReserved": "2024-07-19T11:24:20.419Z",
"dateUpdated": "2024-08-02T04:46:52.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41690 (GCVE-0-2024-41690)
Vulnerability from cvelistv5
Published
2024-07-26 12:02
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of default username and password credentials in plaintext within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext default credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sy-gpon-1110-wdont_firmware",
"vendor": "syrotech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T18:14:42.037077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:16:47.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of default username and password credentials in plaintext within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext default credentials on the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of default username and password credentials in plaintext within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext default credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:45:23.882Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Default Credential Storage in Plaintext Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41690",
"datePublished": "2024-07-26T12:02:29.466Z",
"dateReserved": "2024-07-19T11:24:20.421Z",
"dateUpdated": "2024-08-02T04:46:52.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41685 (GCVE-0-2024-41685)
Vulnerability from cvelistv5
Published
2024-07-26 11:41
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sy-gpon-1110-wdont_firmware",
"vendor": "syrotech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T14:34:42.611474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T14:37:59.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system."
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:39:09.202Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cookie Without HTTPOnly Flag Set Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41685",
"datePublished": "2024-07-26T11:41:53.968Z",
"dateReserved": "2024-07-19T11:24:20.419Z",
"dateUpdated": "2024-08-02T04:46:52.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41689 (GCVE-0-2024-41689)
Vulnerability from cvelistv5
Published
2024-07-26 11:59
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T18:11:55.433538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:12:01.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system."
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system."
}
],
"impacts": [
{
"capecId": "CAPEC-191",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-191: Read Sensitive Constants Within an Executable"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:44:16.163Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hard-coded Credentials Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41689",
"datePublished": "2024-07-26T11:59:38.725Z",
"dateReserved": "2024-07-19T11:24:20.421Z",
"dateUpdated": "2024-08-02T04:46:52.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41691 (GCVE-0-2024-41691)
Vulnerability from cvelistv5
Published
2024-07-26 12:06
Modified
2024-08-05 10:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router's firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:39:14.763756Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:12.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router\u0027s firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system.\u003cbr\u003e"
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router\u0027s firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:49:45.454Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Storage of Sensitive Information Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41691",
"datePublished": "2024-07-26T12:06:39.053Z",
"dateReserved": "2024-07-19T11:24:20.421Z",
"dateUpdated": "2024-08-05T10:24:12.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41684 (GCVE-0-2024-41684)
Vulnerability from cvelistv5
Published
2024-07-26 11:34
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41684",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T19:01:08.482510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T20:25:35.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system."
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system."
}
],
"impacts": [
{
"capecId": "CAPEC-102",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-102: Session Sidejacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:36:16.718Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cookie Without Secure Flag Set Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41684",
"datePublished": "2024-07-26T11:34:53.978Z",
"dateReserved": "2024-07-19T11:24:20.419Z",
"dateUpdated": "2024-08-02T04:46:52.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41688 (GCVE-0-2024-41688)
Vulnerability from cvelistv5
Published
2024-07-26 11:56
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Summary
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SyroTech | SyroTech SY-GPON-1110-WDONT router |
Version: 3.1.02-231102 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41688",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T15:19:06.645946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T15:19:25.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SyroTech SY-GPON-1110-WDONT router",
"vendor": "SyroTech",
"versions": [
{
"status": "affected",
"version": "3.1.02-231102"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "These vulnerabilities are discovered by Shravan Singh, Rahul Giri, \u0026 Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.\u003cbr\u003e\u003cbr\u003eSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
}
],
"value": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37\tRetrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T07:42:49.176Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\"\u003ehttp://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Upgrade SyroTech SY-GPON-1110-WDONT Router firmware to patched version 3.1.02-240517\n\n http://drive.google.com/file/d/1JQc3AkJm69mV0kg2c-b-zzaojc87Rru9/view"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cleartext Storage of Sensitive Information Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-41688",
"datePublished": "2024-07-26T11:56:03.174Z",
"dateReserved": "2024-07-19T11:24:20.420Z",
"dateUpdated": "2024-08-02T04:46:52.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}