CVE-2008-1261 - The Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware provides different responses to admin page r

CVE-2008-1261

Summary

The Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware provides different responses to admin page requests depending on whether a user is logged in, which allows remote attackers to obtain current login status by requesting an arbitrary admin URI.

References

http://www.gnucitizen.org/projects/router-hacking-challenge/
http://www.securityfocus.com/archive/1/489009/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/41113

Vulnerable Configurations

cpe:2.3:h:zyxel:p-2602hw-d1a:3.40\(ajz.1\):*:*:*:*:*:*:*
cpe:2.3:h:zyxel:p-2602hw-d1a:3.40\(ajz.1\):*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 11-10-2018 - 20:31)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

bugtraq	20080301 The Router Hacking Challenge is Over!
misc	http://www.gnucitizen.org/projects/router-hacking-challenge/
xf	zyxel-p2602hwd1a-loginstatus-info-disclosure(41113)

Last major update

11-10-2018 - 20:31

Published

10-03-2008 - 17:44

Last modified

11-10-2018 - 20:31