exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Airvana HubBub C1-600-RT Cross Site Scripting

Airvana HubBub C1-600-RT Cross Site Scripting
Posted Feb 28, 2013
Authored by Scott Behrens

The Airvana Airrave router version 2.5 suffers from a stored cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2013-2270
SHA-256 | 8a8c8f4eaacfa94b50ca1148811eda804a4aecd70d923ea5ba83e689fbad47cc

Airvana HubBub C1-600-RT Cross Site Scripting

Change Mirror Download
   Advisory ID: NEOCAN-2013-002
Advisory Title: Stored XSS ('cross-site scripting') in Airvana HubBub C1-600-RT router
Author: Scott Behrens / Scott.Behrens@Neohapsis.com
Release Date: 02/27/2013
Vendor: Airvana
Application: Airrave 2.5 router administration page
Platform: Web Application
Severity: Medium
Vendor status: No response from vendor
CVE Number: CVE-2013-2270
Reference: 004


Overview:

A stored cross-site scripting vulnerability was discovered in the Airrave 2.5 router. An attacker that exploits this attack may use it to execute malicious JavaScript against a victim or trigger a browser exploit. The attack requires

that the victim is authenticated to the device.


Vendor Response:

Vendor was contacted first via email on January 17th, 2013. Researcher did not receive a response when using the 'online form' which was the only publically available email on the company’s website.

Vendor was then contacted via telephone on the following dates: January 25th, February 7th, February 12th. A 'support operator' filed the ticket and informed the researcher a technician would call them back. No technician ever followed

up to the calls.



Recommendation:

Ensure data controlled input is html encoded or escaped. Perform content filtering on user control data for special characters or symbols.



Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues:

CVE-2013-2270

These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.


Common Weakness Enumeration (CWE) Information:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

http://cwe.mitre.org/data/definitions/79.html



--------Neohapsis Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@neohapsis.com

NeohapsisVulnerability Research GPG Key:
http://www.neohapsis.com/assets/NeohapsisVulnerabilityResearch-PUB.asc


Copyright (c) 2013 Neohapsis
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close