what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Airvana HubBub C1-600-RT Cross Site Scripting

Airvana HubBub C1-600-RT Cross Site Scripting
Posted Feb 28, 2013
Authored by Scott Behrens

The Airvana Airrave router version 2.5 suffers from a stored cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2013-2270
SHA-256 | 8a8c8f4eaacfa94b50ca1148811eda804a4aecd70d923ea5ba83e689fbad47cc
Download | Favorite | View

Airvana HubBub C1-600-RT Cross Site Scripting

Change Mirror Download
   Advisory ID: NEOCAN-2013-002
Advisory Title: Stored XSS ('cross-site scripting') in Airvana HubBub C1-600-RT router
        Author: Scott Behrens / Scott.Behrens@Neohapsis.com
  Release Date: 02/27/2013
        Vendor: Airvana
   Application: Airrave 2.5 router administration page
      Platform: Web Application
      Severity: Medium
 Vendor status: No response from vendor
    CVE Number: CVE-2013-2270
     Reference: 004


Overview:

A stored cross-site scripting vulnerability was discovered in the Airrave 2.5 router.  An attacker that exploits this attack may use it to execute malicious JavaScript against a victim or trigger a browser exploit.  The attack requires 

that the victim is authenticated to the device.  


Vendor Response:

Vendor was contacted first via email on January 17th, 2013.  Researcher did not receive a response when using the 'online form' which was the only publically available email on the company’s website.

Vendor was then contacted via telephone on the following dates: January 25th, February 7th, February 12th. A 'support  operator' filed the ticket and informed the researcher a technician would call them back.  No technician ever followed 

up to the calls. 



Recommendation:

Ensure data controlled input is html encoded or escaped.  Perform content filtering on user control data for special characters or symbols.



Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues:

CVE-2013-2270

These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.


Common Weakness Enumeration (CWE) Information:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

http://cwe.mitre.org/data/definitions/79.html



--------Neohapsis Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@neohapsis.com

NeohapsisVulnerability Research GPG Key:
http://www.neohapsis.com/assets/NeohapsisVulnerabilityResearch-PUB.asc


Copyright (c) 2013 Neohapsis
Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close