CVE-2020-25205

The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php. An unauthenticated attacker may set the contents of the /mnt/jffs2/banner.txt file, stored on the device's filesystem, to contain arbitrary JavaScript. The file contents are then used as part of a welcome/banner message presented to unauthenticated users who visit the login page for the web console. This vulnerability does not occur in the older 1.5.x firmware versions.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://labs.f-secure.com/advisories/	Third Party Advisory
https://labs.f-secure.com/advisories/mimosa-ptp-devices-multiple-vulnerabilities/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:mimosa:b5_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mimosa:b5:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:mimosa:b5c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mimosa:b5c:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:mimosa:c5c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mimosa:c5c:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-07-20 19:15

Updated : 2024-02-28 18:28

NVD link : CVE-2020-25205

Mitre link : CVE-2020-25205

CVE.ORG link : CVE-2020-25205

JSON object : View

Products Affected

mimosa

b5c_firmware
b5c
c5c
b5
c5c_firmware
b5_firmware

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-25205", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-07-20T19:15:09.563", "references": [{"url": "https://labs.f-secure.com/advisories/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://labs.f-secure.com/advisories/mimosa-ptp-devices-multiple-vulnerabilities/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 is vulnerable to stored XSS in the set_banner() function of /var/www/core/controller/index.php. An unauthenticated attacker may set the contents of the /mnt/jffs2/banner.txt file, stored on the device's filesystem, to contain arbitrary JavaScript. The file contents are then used as part of a welcome/banner message presented to unauthenticated users who visit the login page for the web console. This vulnerability does not occur in the older 1.5.x firmware versions."}, {"lang": "es", "value": "La consola web para el firmware Mimosa B5, B5c y C5x versiones hasta 2.8.0.2, es vulnerable a un ataque de tipo XSS almacenado en la funci\u00f3n set_banner() del archivo /var/www/core/controller/index.php. Un atacante no autenticado puede ajustar el contenido del archivo /mnt/jffs2/banner.txt, almacenado en el sistema de archivos del dispositivo, para que contenga JavaScript arbitrario. El contenido del archivo es usado entonces como parte de un mensaje de welcome/banner presentado a usuarios no autenticados que visitan la p\u00e1gina de inicio de sesi\u00f3n de la consola web. Esta vulnerabilidad no ocurre en las versiones de firmware 1.5.x m\u00e1s antiguas"}], "lastModified": "2021-07-30T15:19:29.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mimosa:b5_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F0CE000-9BD3-4EA6-B98B-F58FC97FC5BE", "versionEndIncluding": "2.8.0.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mimosa:b5:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "AB6E4730-E018-43B4-827B-6266EECF81A8"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mimosa:b5c_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C203C9BF-6730-4E5C-A855-895BFD9E199C", "versionEndIncluding": "2.8.0.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mimosa:b5c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B92406E6-A9B4-4070-B307-C341F770EF43"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mimosa:c5c_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5DF58CB-D5CA-4924-A7C4-1A24CAD33F4A", "versionEndIncluding": "2.8.0.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mimosa:c5c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B2435693-7699-4432-BC83-F31D967E181F"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}