MidnightBSD

Advisories for elecom

CVE-2020-5634 HIGH

ELECOM LAN routers (WRC-2533GST2 firmware versions prior to v1.14, WRC-1900GST2 firmware versions prior to v1.14, WRC-1750GST2 firmware versions prior to v1.14, and WRC-1167GST2 firmware versions prior to v1.10) allow an attacker on the same network segment to execute arbitrary OS commands with a root privilege via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
elecom wrc-1900gst2_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
elecom wrc-1750gst2_firmware *
CVE-2021-20643 MEDIUM

Improper access control vulnerability in ELECOM LD-PS/U1 allows remote attackers to change the administrative password of the affected device by processing a specially crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
elecom ld-ps/u1_firmware -
CVE-2021-20644 MEDIUM

ELECOM WRC-1467GHBK-A allows arbitrary scripts to be executed on the user's web browser by displaying a specially crafted SSID on the web setup page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
elecom wrc-1467ghbk-a_firmware -
CVE-2021-20645 MEDIUM

Cross-site scripting vulnerability in ELECOM WRC-300FEBK-A allows remote authenticated attackers to inject arbitrary script via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elecom wrc-300febk-a_firmware -
CVE-2021-20646 MEDIUM

Cross-site request forgery (CSRF) vulnerability in ELECOM WRC-300FEBK-A allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
elecom wrc-300febk-a_firmware -
CVE-2021-20647 MEDIUM

Cross-site request forgery (CSRF) vulnerability in ELECOM WRC-300FEBK-S allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
elecom wrc-300febk-s_firmware -
CVE-2021-20648 HIGH

ELECOM WRC-300FEBK-S allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
elecom wrc-300febk-s_firmware -
CVE-2021-20649 MEDIUM

ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
elecom wrc-300febk-s_firmware -
CVE-2021-20650 MEDIUM

Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
elecom ncc-ewf100rmwh2_firmware -
CVE-2021-20651 MEDIUM

Directory traversal vulnerability in ELECOM File Manager all versions allows remote attackers to create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
elecom file_manager *
CVE-2021-20738 LOW

WRC-1167FS-W, WRC-1167FS-B, and WRC-1167FSA all versions allow an unauthenticated network-adjacent attacker to obtain sensitive information via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
elecom wrc-1167fsa_firmware *
elecom wrc-1167fs-b_firmware *
elecom wrc-1167fs-w_firmware *
CVE-2021-20739 MEDIUM

WRC-300FEBK, WRC-F300NF, WRC-733FEBK, WRH-300RD, WRH-300BK, WRH-300SV, WRH-300WH, WRH-H300WH, WRH-H300BK, WRH-300BK-S, and WRH-300WH-S all versions allows an unauthenticated network-adjacent attacker to execute an arbitrary OS command via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
elecom wrc-300febk_firmware *
elecom wrh-300bk_firmware *
elecom wrh-300bk-s_firmware *
elecom wrc-f300nf_firmware *
elecom wrh-h300bk_firmware *
elecom wrc-733febk_firmware *
elecom wrh-h300wh_firmware *
elecom wrh-300rd_firmware *
elecom wrh-300sv_firmware *
elecom wrh-300wh_firmware *
elecom wrh-300wh-s_firmware *
CVE-2021-20852 MEDIUM

Buffer overflow vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute an arbitrary OS command via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
elecom wrh-733gwh_firmware *
elecom wrh-733gbk_firmware *
CVE-2021-20853 MEDIUM

ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute arbitrary OS commands via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
elecom wrh-733gwh_firmware *
elecom wrh-733gbk_firmware *
CVE-2021-20854 MEDIUM

ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute arbitrary OS commands via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
elecom wrh-733gwh_firmware *
elecom wrh-733gbk_firmware *
CVE-2021-20855 LOW

Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elecom wrh-733gwh_firmware *
elecom wrh-733gbk_firmware *
CVE-2021-20856 LOW

Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elecom wrh-733gwh_firmware *
elecom wrh-733gbk_firmware *
CVE-2021-20857 LOW

Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elecom wrc-2533ghbk-i_firmware *
CVE-2021-20858 LOW

Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elecom wrc-2533ghbk-i_firmware *
CVE-2021-20859 HIGH

ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to execute an arbitrary OS command via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
elecom wrc-2533gs2-b_firmware *
elecom edwrc-2533gst2_firmware *
elecom wrc-2533gst2-g_firmware *
elecom wrc-2533gst_firmware *
elecom wrc-1167gst2h_firmware *
elecom wrc-1167gst2a_firmware *
elecom wrc-2533gst2sp_firmware *
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gsta_firmware *
elecom wrc-1900gst_firmware *
elecom wrc-1750gs_firmware *
elecom wrc-1750gsv_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
CVE-2021-20860 MEDIUM

Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a remote authenticated attacker to hijack the authentication of an administrator via a specially crafted page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
elecom wrc-2533gs2-b_firmware *
elecom edwrc-2533gst2_firmware *
elecom wrc-2533gst2-g_firmware *
elecom wrc-2533gst_firmware *
elecom wrc-1167gst2h_firmware *
elecom wrc-1167gst2a_firmware *
elecom wrc-2533gst2sp_firmware *
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gsta_firmware *
elecom wrc-1900gst_firmware *
elecom wrc-1750gs_firmware *
elecom wrc-1750gsv_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
CVE-2021-20861 MEDIUM

Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to bypass access restriction and to access the management screen of the product via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
elecom wrc-2533gs2-b_firmware *
elecom edwrc-2533gst2_firmware *
elecom wrc-2533gst2-g_firmware *
elecom wrc-2533gst_firmware *
elecom wrc-1167gst2h_firmware *
elecom wrc-1167gst2a_firmware *
elecom wrc-2533gst2sp_firmware *
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gsta_firmware *
elecom wrc-1900gst_firmware *
elecom wrc-1750gs_firmware *
elecom wrc-1750gsv_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
CVE-2021-20862 LOW

Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to obtain anti-CSRF tokens and change the product's settings via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
elecom wrc-2533gs2-b_firmware *
elecom edwrc-2533gst2_firmware *
elecom wrc-2533gst2-g_firmware *
elecom wrc-2533gst_firmware *
elecom wrc-1167gst2h_firmware *
elecom wrc-1167gst2a_firmware *
elecom wrc-2533gst2sp_firmware *
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gsta_firmware *
elecom wrc-1900gst_firmware *
elecom wrc-1750gs_firmware *
elecom wrc-1750gsv_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
CVE-2021-20863 HIGH

OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attackers to execute an arbitrary OS command with the root privilege via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
elecom wrc-2533gs2-b_firmware *
elecom edwrc-2533gst2_firmware *
elecom wrc-2533gst2-g_firmware *
elecom wrc-2533gst_firmware *
elecom wrc-1167gst2h_firmware *
elecom wrc-1167gst2a_firmware *
elecom wrc-2533gst2sp_firmware *
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gsta_firmware *
elecom wrc-1900gst_firmware *
elecom wrc-1750gs_firmware *
elecom wrc-1750gsv_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
CVE-2021-20864 HIGH

Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to start the telnet service and execute an arbitrary OS command via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
elecom wrc-2533gs2-b_firmware *
elecom edwrc-2533gst2_firmware *
elecom wrc-2533gst2-g_firmware *
elecom wrc-2533gst_firmware *
elecom wrc-1167gst2h_firmware *
elecom wrc-1167gst2a_firmware *
elecom wrc-2533gst2sp_firmware *
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gsta_firmware *
elecom wrc-1900gst_firmware *
elecom wrc-1750gs_firmware *
elecom wrc-1750gsv_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
CVE-2022-21173 HIGH

Hidden functionality vulnerability in ELECOM LAN routers (WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware v1.05 and earlier, WRH-300PN3-S firmware v1.05 and earlier, WRH-300WH3-S firmware v1.05 and earlier, and WRH-300YG3-S firmware v1.05 and earlier) allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
elecom wrh-300wh3_firmware *
elecom wrh-300bk3-s_firmware *
elecom wrh-300dr3-s_firmware *
elecom wrh-300bk3_firmware *
elecom wrh-300lb3-s_firmware *
elecom wrh-300yg3-s_firmware *
elecom wrh-300wh3-s_firmware *
elecom wrh-300pn3-s_firmware *
CVE-2022-21799 LOW

Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R firmware v1.13 and earlier allows an attacker on the adjacent network to inject an arbitrary script via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.2 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.1 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elecom wrc-300febk-r_firmware *
CVE-2022-25915 MEDIUM

Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to bypass access restriction and to access the management screen of the product via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
elecom wrc-2533gs2-b_firmware *
elecom edwrc-2533gst2_firmware *
elecom wrc-2533gst2-g_firmware *
elecom wrc-1900gst2_firmware *
elecom wrc-2533gst_firmware *
elecom wrc-1167gs2h-b_firmware *
elecom wmc-dlgst2-w_firmware *
elecom wmc-2hc-w_firmware *
elecom wrc-1167gst2h_firmware *
elecom wrc-1167gst2a_firmware *
elecom wrc-2533gst2sp_firmware *
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gsta_firmware *
elecom wrc-1900gst2sp_firmware *
elecom wrc-1900gst_firmware *
elecom wmc-m1267gst2-w_firmware *
elecom wrc-1750gs_firmware *
elecom wrc-1750gsv_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
elecom wrc-1750gst2_firmware *
elecom wrc-1167gs2-b_firmware *
elecom wmc-c2533gst-w_firmware *
CVE-2023-22282

WAB-MAT Ver.5.0.0.8 and earlier starts another program with an unquoted file path. Since a registered Windows service path contains spaces and are unquoted, if a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.3 5.9

Products Affected

Vendor Product Version
elecom wab-mat *
CVE-2023-22368

Untrusted search path vulnerability in ELECOM Camera Assistant 1.00 and QuickFileDealer Ver.1.2.1 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
elecom quickfiledealer *
elecom camera_assistant 1.00
CVE-2023-32626

Hidden functionality vulnerability in LAN-W300N/RS all versions, and LAN-W300N/PR5 all versions allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
elecom lan-w300n/pr5_firmware *
elecom lan-w300n/rs_firmware *
CVE-2023-35991

Hidden functionality vulnerability in LOGITEC wireless LAN routers allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands. Affected products and versions are as follows: LAN-W300N/DR all versions, LAN-WH300N/DR all versions, LAN-W300N/P all versions, LAN-WH450N/GP all versions, LAN-WH300AN/DGP all versions, LAN-WH300N/DGP all versions, and LAN-WH300ANDGPE all versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
elecom lan-wh300an/dgp_firmware *
elecom lan-wh300n/dgp_firmware *
elecom lan-w300n/p_firmware *
elecom lan-wh300n/dr_firmware *
elecom lan-wh450n/gp_firmware *
elecom lan-w300n/dr_firmware *
elecom lan-wh300andgpe_firmware *
CVE-2023-37560

Cross-site scripting vulnerability in WRH-300WH-H v2.12 and earlier, and WTC-300HWH v1.09 and earlier allows a remote unauthenticated attacker to inject an arbitrary script.

Products Affected

Vendor Product Version
elecom wrh-300wh-h_firmware *
elecom wtc-300hwh_firmware *
CVE-2023-37561

Open redirect vulnerability in ELECOM wireless LAN routers and ELECOM wireless LAN repeaters allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL. Affected products and versions are as follows: WRH-300WH-H v2.12 and earlier, WTC-300HWH v1.09 and earlier, WTC-C1167GC-B v1.17 and earlier, and WTC-C1167GC-W v1.17 and earlier.

Products Affected

Vendor Product Version
elecom wrh-300wh-h_firmware *
elecom wtc-c1167gc-w_firmware *
elecom wtc-300hwh_firmware *
elecom wtc-c1167gc-b_firmware *
CVE-2023-37562

Cross-site request forgery (CSRF) vulnerability in exists in WTC-C1167GC-B v1.17 and earlier, and WTC-C1167GC-W v1.17 and earlier. If a user views a malicious page while logged in, unintended operations may be performed.

Products Affected

Vendor Product Version
elecom wtc-c1167gc-w_firmware *
elecom wtc-c1167gc-b_firmware *
CVE-2023-37563

ELECOM wireless LAN routers are vulnerable to sensitive information exposure, which allows a network-adjacent unauthorized attacker to obtain sensitive information. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, WRC-1167FEBK-A v1.18 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1467GHBK-S all versions, WRC-1900GHBK-A all versions, and WRC-1900GHBK-S all versions.

Products Affected

Vendor Product Version
elecom wrc-1167gebk-s_firmware *
elecom wrc-1167febk-s_firmware *
elecom wrc-1167ghbk3-a_firmware *
elecom wrc-1167ghbk-s_firmware *
elecom wrc-1167febk-a_firmware *
CVE-2023-37564

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.

Products Affected

Vendor Product Version
elecom wrc-1167gebk-s_firmware *
elecom wrc-1167febk-s_firmware *
elecom wrc-1167ghbk3-a_firmware *
elecom wrc-1167ghbk-s_firmware *
elecom wrc-1167febk-a_firmware *
CVE-2023-37565

Code injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute arbitrary code by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.

Products Affected

Vendor Product Version
elecom wrc-1167gebk-s_firmware *
elecom wrc-1167febk-s_firmware *
elecom wrc-1167ghbk3-a_firmware *
elecom wrc-1167ghbk-s_firmware *
elecom wrc-1167febk-a_firmware *
CVE-2023-37566

Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and earlier, WRC-1167FEBK-A v1.18 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, and LAN-W301NR all versions.

Products Affected

Vendor Product Version
elecom wrc-1167ghbk3-a_firmware *
elecom wrc-1167febk-a_firmware *
CVE-2023-37567

Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a remote unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port of the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, and LAN-W301NR all versions.

Products Affected

Vendor Product Version
elecom wrc-1167ghbk3-a_firmware *
CVE-2023-37568

ELECOM wireless LAN routers WRC-1167GHBK-S v1.03 and earlier, and WRC-1167GEBK-S v1.03 and earlier allow a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page.

Products Affected

Vendor Product Version
elecom wrc-1167gebk-s_firmware *
elecom wrc-1167ghbk-s_firmware *
CVE-2023-38132

LAN-W451NGR all versions provided by LOGITEC CORPORATION contains an improper access control vulnerability, which allows an unauthenticated attacker to log in to telnet service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
elecom lan-w451ngr_firmware *
CVE-2023-38576

Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an authenticated user to execute arbitrary OS commands on a certain management console.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
elecom lan-wh300n/re_firmware *
CVE-2023-39445

Hidden functionality vulnerability in LAN-WH300N/RE all versions provided by LOGITEC CORPORATION allows an unauthenticated attacker to execute arbitrary code by sending a specially crafted file to the product's certain management console.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
elecom wrc-1900ghbk-a_firmware *
elecom wrc-733febk2-a_firmware *
elecom wrc-1900ghbk-s_firmware *
elecom wrc-1467ghbk-s_firmware *
elecom wrc-600ghbk-a_firmware *
elecom wrc-f1167acf2_firmware *
elecom wrc-1467ghbk-a_firmware *
CVE-2023-39454

Buffer overflow vulnerability exists in ELECOM wireless LAN routers, which may allow an unauthenticated attacker to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
elecom wrc-x1800gsa-b_firmware *
elecom wrc-x1800gsh-b_firmware *
elecom wrc-x1800gs-b_firmware *
CVE-2023-39455

OS command injection vulnerability in ELECOM wireless LAN routers allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request. Affected products and versions are as follows: WRC-600GHBK-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-F1167ACF2 all versions, WRC-1467GHBK-S all versions, and WRC-1900GHBK-S all versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
elecom wrc-1900ghbk-a_firmware *
elecom wrc-733febk2-a_firmware *
elecom wrc-1900ghbk-s_firmware *
elecom wrc-1467ghbk-s_firmware *
elecom wrc-600ghbk-a_firmware *
elecom wrc-f1167acf2_firmware *
elecom wrc-1467ghbk-a_firmware *
CVE-2023-39944

OS command injection vulnerability in WRC-F1167ACF all versions, and WRC-1750GHBK all versions allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
elecom wrc-f1167acf_firmware *
elecom wrc-1750ghbk_firmware *
CVE-2023-40069

OS command injection vulnerability in ELECOM wireless LAN routers allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request. Affected products and versions are as follows: WRC-F1167ACF all versions, WRC-1750GHBK all versions, WRC-1167GHBK2 all versions, WRC-1750GHBK2-I all versions, and WRC-1750GHBK-E all versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
elecom wrc-f1167acf_firmware *
elecom wrc-1750ghbk_firmware *
elecom wrc-1750ghbk-e_firmware *
elecom wrc-1167ghbk2_firmware *
elecom wrc-1750ghbk2-i_firmware *
CVE-2023-40072

OS command injection vulnerability in ELECOM wireless LAN access point devices allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
elecom wab-s600-ps_firmware *
elecom wab-s300_firmware *
CVE-2023-43752

OS command injection vulnerability in WRC-X3000GS2-W v1.05 and earlier, WRC-X3000GS2-B v1.05 and earlier, and WRC-X3000GS2A-B v1.05 and earlier allows a network-adjacent authenticated user to execute an arbitrary OS command by sending a specially crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
elecom wrc-x3000gs2-b_firmware *
elecom wrc-x3000gs2-w_firmware *
elecom wrc-x3000gs2a-b_firmware *
CVE-2023-43757

Inadequate encryption strength vulnerability in multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION allows a network-adjacent unauthenticated attacker to guess the encryption key used for wireless LAN communication and intercept the communication. As for the affected products/versions, see the information provided by the vendor under [References] section.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
elecom wrc-1750ghbk-e_firmware -
elecom wrh-150bk_firmware -
elecom wrh-300wh_firmware -
elecom lan-w300n/p_firmware -
elecom wrc-300febk_firmware -
elecom wrh-300wh-s_firmware -
elecom wrh-300wh2-s_firmware -
elecom wrh-150wh_firmware -
elecom wrc-300ghbk_firmware -
elecom lan-wh300ndgpe_firmware -
elecom wrc-1750ghbk2-i_firmware -
elecom wrh-300bk-s_firmware -
elecom wrh-h300wh_firmware -
elecom wrc-1167ghbk2_firmware -
elecom wrc-f1167acf_firmware -
elecom wrc-2533ghbk2-t_firmware -
elecom wrc-1750ghbk_firmware -
elecom wrc-733ghbk_firmware -
elecom wrh-300rd_firmware -
elecom wrh-300bk2-s_firmware -
elecom wrc-733ghbk-i_firmware -
elecom lan-w300n/rs_firmware -
elecom wrc-1167ghbk_firmware -
elecom wrc-733febk_firmware -
elecom wrc-300ghbk2-i_firmware -
elecom wrc-f300nf_firmware -
elecom wrh-300sv_firmware -
elecom wrh-300wh-h_firmware -
elecom lan-wh300n/dgp_firmware -
elecom wrh-h300bk_firmware -
elecom wrc-2533ghbk-i_firmware -
elecom lan-w301nr_firmware -
elecom wrh-300bk_firmware -
elecom wrc-733ghbk-c_firmware -
CVE-2023-49695

OS command injection vulnerability in WRC-X3000GSN v1.0.2, WRC-X3000GS v1.0.24 and earlier, and WRC-X3000GSA v1.0.24 and earlier allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command by sending a specially crafted request to the product.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
elecom wrc-x3000gs_firmware *
elecom wrc-x3000gsn_firmware 1.0.2
elecom wrc-x3000gsa_firmware *
CVE-2024-21798

ELECOM wireless LAN routers contain a cross-site scripting vulnerability. Assume that a malicious administrative user configures the affected product with specially crafted content. When another administrative user logs in and operates the product, an arbitrary script may be executed on the web browser. Note that WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B".

Products Affected

Vendor Product Version
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gs2-b_firmware *
elecom wmc-x1800gst-b_firmware *
elecom wrc-1167gs2h-b_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
elecom wrc-x3200gst3-b_firmware *
elecom wrc-2533gs2v-b_firmware *
elecom wrc-1167gs2-b_firmware *
elecom wrc-g01-w_firmware *
CVE-2024-22372

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
elecom wrc-x6000xst-g_firmware *
elecom wrc-x1800gsa-b_firmware *
elecom wrc-x1800gsh-b_firmware *
elecom wrc-x6000xs-g_firmware 1.09
elecom wrc-x1800gs-b_firmware *
CVE-2024-23910

Cross-site request forgery (CSRF) vulnerability in ELECOM wireless LAN routers and wireless LAN repeater allows a remote unauthenticated attacker to hijack the authentication of administrators and to perform unintended operations to the affected product. Note that WMC-X1800GST-B and WSC-X1800GS-B are also included in e-Mesh Starter Kit "WMC-2LX-B".

Products Affected

Vendor Product Version
elecom wrc-2533gs2-w_firmware *
elecom wrc-2533gs2-b_firmware *
elecom wmc-x1800gst-b_firmware *
elecom wrc-1167gs2h-b_firmware *
elecom wrc-2533gst2_firmware *
elecom wrc-1167gst2_firmware *
elecom wrc-x3200gst3-b_firmware *
elecom wsc-x1800gs-b_firmware *
elecom wrc-2533gs2v-b_firmware *
elecom wrc-1167gs2-b_firmware *
elecom wrc-g01-w_firmware *
CVE-2024-40883

Cross-site request forgery vulnerability exists in ELECOM wireless LAN routers. Viewing a malicious page while logging in to the affected product with an administrative privilege, the user may be directed to perform unintended operations such as changing the login ID, login password, etc.

Products Affected

Vendor Product Version
elecom wrc-2533gs2-w_firmware *
elecom wrc-x6000xs-g_firmware *
elecom wrc-2533gs2-b_firmware *
elecom wrc-x1500gsa-b_firmware *
elecom wrc-2533gs2v-b_firmware *
elecom wrc-x1500gs-b_firmware *
CVE-2024-42412

Cross-site scripting vulnerability exists in ELECOM wireless access points due to improper processing of input values in menu.cgi. If a user views a malicious web page while logged in to the product, an arbitrary script may be executed on the user's web browser.

Products Affected

Vendor Product Version
elecom wab-s1167-ps_firmware *
elecom wab-i1750-ps_firmware *
CVE-2024-43689

Stack-based buffer overflow vulnerability exists in ELECOM wireless access points. By processing a specially crafted HTTP request, arbitrary code may be executed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
elecom wab-s1167-ps_firmware *
elecom wab-i1750-ps_firmware *