var-201601-0401
Vulnerability from variot
Cross-site scripting (XSS) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary script may be executed on user's web browser. KDDI Home Spot Cube is prone to the following security vulnerabilities: Cross-site scripting - CVE-2016-1136 Open redirect - CVE-2016-1137 HTTP header injection - CVE-2016-1138 Cross-site request forgery - CVE-2016-1139 Click jacking - CVE-2016-1140 OS command injection - CVE-2016-1141 Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, or conduct phishing attacks, or inject arbitrary HTTP headers, or execute arbitrary OS commands in context of the affected application,or allow attackers to gain unauthorized access to the affected application or obtain sensitive information, and to to perform certain unauthorized actions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201601-0401",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "home spot cube",
"scope": "eq",
"trust": 1.6,
"vendor": "kddi",
"version": "2.0"
},
{
"model": "home spot cube",
"scope": null,
"trust": 0.8,
"vendor": "kddi",
"version": null
},
{
"model": "home spot cube devices",
"scope": "lt",
"trust": 0.6,
"vendor": "kddi",
"version": "2"
},
{
"model": "home spot cube",
"scope": "eq",
"trust": 0.3,
"vendor": "kddi",
"version": "0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "BID",
"id": "81982"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-689"
},
{
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:kddi:home_spot_cube",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Masaki Yoshikawa",
"sources": [
{
"db": "BID",
"id": "81982"
}
],
"trust": 0.3
},
"cve": "CVE-2016-1136",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "CVE-2016-1136",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 1.0,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Adjacent Network",
"authentication": "Single",
"author": "IPA",
"availabilityImpact": "None",
"baseScore": 2.7,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2016-000007",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2016-00845",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "VHN-89955",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"id": "CVE-2016-1136",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "IPA",
"availabilityImpact": "None",
"baseScore": 4.3,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2016-000007",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "High",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2016-1136",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "IPA",
"id": "JVNDB-2016-000007",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2016-00845",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201601-689",
"trust": 0.6,
"value": "LOW"
},
{
"author": "VULHUB",
"id": "VHN-89955",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "VULHUB",
"id": "VHN-89955"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-689"
},
{
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cross-site scripting (XSS) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary script may be executed on user\u0027s web browser. KDDI Home Spot Cube is prone to the following security vulnerabilities:\nCross-site scripting - CVE-2016-1136\nOpen redirect - CVE-2016-1137\nHTTP header injection - CVE-2016-1138\nCross-site request forgery - CVE-2016-1139\nClick jacking - CVE-2016-1140\nOS command injection - CVE-2016-1141\nAttackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, or conduct phishing attacks, or inject arbitrary HTTP headers, or execute arbitrary OS commands in context of the affected application,or allow attackers to gain unauthorized access to the affected application or obtain sensitive information, and to to perform certain unauthorized actions",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-1136"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "BID",
"id": "81982"
},
{
"db": "VULHUB",
"id": "VHN-89955"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-1136",
"trust": 3.4
},
{
"db": "JVN",
"id": "JVN54686544",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007",
"trust": 2.5
},
{
"db": "BID",
"id": "81982",
"trust": 0.9
},
{
"db": "CNNVD",
"id": "CNNVD-201601-689",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-00845",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-89955",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "VULHUB",
"id": "VHN-89955"
},
{
"db": "BID",
"id": "81982"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-689"
},
{
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"id": "VAR-201601-0401",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "VULHUB",
"id": "VHN-89955"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
}
]
},
"last_update_date": "2024-11-23T22:22:47.711000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Notes on use of HOME SPOT CUBE",
"trust": 0.8,
"url": "http://www.au.kddi.com/mobile/service/smartphone/wifi/homespot/#anc06"
},
{
"title": "Patch for KDDIHOMESPOTCUBEdevices cross-site scripting vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/71198"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-89955"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "http://jvn.jp/en/jp/jvn54686544/index.html"
},
{
"trust": 2.0,
"url": "http://www.au.kddi.com/mobile/service/smartphone/wifi/homespot/#anc06"
},
{
"trust": 1.7,
"url": "http://jvndb.jvn.jp/jvndb/jvndb-2016-000007"
},
{
"trust": 1.4,
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1136"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1136"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "VULHUB",
"id": "VHN-89955"
},
{
"db": "BID",
"id": "81982"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-689"
},
{
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"db": "VULHUB",
"id": "VHN-89955"
},
{
"db": "BID",
"id": "81982"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-689"
},
{
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-02-14T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"date": "2016-01-30T00:00:00",
"db": "VULHUB",
"id": "VHN-89955"
},
{
"date": "2016-01-27T00:00:00",
"db": "BID",
"id": "81982"
},
{
"date": "2016-01-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"date": "2016-01-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201601-689"
},
{
"date": "2016-01-30T15:59:01.093000",
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-02-14T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-00845"
},
{
"date": "2016-02-10T00:00:00",
"db": "VULHUB",
"id": "VHN-89955"
},
{
"date": "2016-01-27T00:00:00",
"db": "BID",
"id": "81982"
},
{
"date": "2016-02-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-000007"
},
{
"date": "2016-02-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201601-689"
},
{
"date": "2024-11-21T02:45:50.130000",
"db": "NVD",
"id": "CVE-2016-1136"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201601-689"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "HOME SPOT CUBE vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-000007"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201601-689"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…