Airvana HubBub C1-600-RT Cross Site Scripting

Airvana HubBub C1-600-RT Cross Site Scripting: Posted Feb 28, 2013; Authored by Scott Behrens; The Airvana Airrave router version 2.5 suffers from a stored cross site scripting vulnerability.; tags | advisory, xss; advisories | CVE-2013-2270; SHA-256 | 8a8c8f4eaacfa94b50ca1148811eda804a4aecd70d923ea5ba83e689fbad47cc; Download | Favorite | View

Airvana HubBub C1-600-RT Cross Site Scripting

   Advisory ID: NEOCAN-2013-002
Advisory Title: Stored XSS ('cross-site scripting') in Airvana HubBub C1-600-RT router
        Author: Scott Behrens / Scott.Behrens@Neohapsis.com
  Release Date: 02/27/2013
        Vendor: Airvana
   Application: Airrave 2.5 router administration page
      Platform: Web Application
      Severity: Medium
 Vendor status: No response from vendor
    CVE Number: CVE-2013-2270
     Reference: 004


Overview:

A stored cross-site scripting vulnerability was discovered in the Airrave 2.5 router.  An attacker that exploits this attack may use it to execute malicious JavaScript against a victim or trigger a browser exploit.  The attack requires 

that the victim is authenticated to the device.  


Vendor Response:

Vendor was contacted first via email on January 17th, 2013.  Researcher did not receive a response when using the 'online form' which was the only publically available email on the company’s website.

Vendor was then contacted via telephone on the following dates: January 25th, February 7th, February 12th. A 'support  operator' filed the ticket and informed the researcher a technician would call them back.  No technician ever followed 

up to the calls. 



Recommendation:

Ensure data controlled input is html encoded or escaped.  Perform content filtering on user control data for special characters or symbols.



Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues:

CVE-2013-2270

These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.


Common Weakness Enumeration (CWE) Information:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

http://cwe.mitre.org/data/definitions/79.html



--------Neohapsis Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@neohapsis.com

NeohapsisVulnerability Research GPG Key:
http://www.neohapsis.com/assets/NeohapsisVulnerabilityResearch-PUB.asc


Copyright (c) 2013 Neohapsis

Top Authors In Last 30 Days

Red Hat 185 files
Ubuntu 89 files
Gentoo 23 files
Debian 20 files
tmrswrr 8 files
Amit Roy 4 files
Aslam Anwar Mahimkar 3 files
Jann Horn 3 files
ron190 3 files
bRpsd 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,074)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,523)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,242)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,193)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,636)
UNIX (9,424)
UnixWare (187)
Windows (6,665)
Other

Airvana HubBub C1-600-RT Cross Site Scripting

Airvana HubBub C1-600-RT Cross Site Scripting

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Airvana HubBub C1-600-RT Cross Site Scripting

Share This

Airvana HubBub C1-600-RT Cross Site Scripting

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems