Vulnerability Note VU#252294
Mediatrix 4402 digital gateway web interface contains a cross-site scripting (XSS) vulnerability
Overview
Mediatrix's web management interface for the 4402 digital gateway device with firmware version Dgw 1.1.13.186, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. (CWE-79)
Description
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Mediatrix's web management interface for the 4402 digital gateway device with firmware version Dgw 1.1.13.186, and possibly earlier versions, contains a cross-site scripting (XSS) vulnerability. The reflected XSS is found in the login page's vulnerable parameter "username". The following is a proof-of-concept of the XSS vulnerability. |
Impact
A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. |
Solution
We are currently unaware of a practical solution to this problem. Please consider the following workaround. |
Restrict access |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
media5 Corporation | Affected | 14 Jan 2014 | 03 Feb 2014 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Temporal | 3.3 | E:U/RL:ND/RC:UC |
Environmental | 0.8 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://www.mediatrix.com/en/voip-gateways/mediatrix-4400-series
- http://www.securityfocus.com/archive/1/530871/30/0/threaded
- http://cwe.mitre.org/data/definitions/79.html
Credit
Thanks to Tudor Enache of Help AG Middle East for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2014-1612
- Date Public: 23 Jan 2014
- Date First Published: 03 Feb 2014
- Date Last Updated: 07 Apr 2014
- Document Revision: 16
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.