Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user account creation
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| free | freebox_os | 3.0.2 |
A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 2.3 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| free | freebox_os | 3.0.2 |
A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| free | freebox_delta_firmware | * |
| free | freebox_pop_firmware | * |
| free | freebox_revolution_firmware | * |
| free | freebox_mini_firmware | * |
| free | freebox_one_firmware | * |
A DNS rebinding vulnerability in Freebox v5 before 1.5.29.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| free | freebox_hd_firmware | * |
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-290,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| free | freebox_v5_firmware | * |
| free | freebox_server | * |
A DNS rebinding vulnerability in the UPnP IGD implementations in Freebox v5 before 1.5.29 and Freebox Server before 4.2.3.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| free | freebox_delta_firmware | * |
| free | freebox_pop_firmware | * |
| free | freebox_revolution_firmware | * |
| free | freebox_mini_firmware | * |
| free | freebox_one_firmware | * |
A DNS rebinding vulnerability in the Freebox OS web interface in Freebox Server before 4.2.3.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| free | freebox_delta_firmware | * |
| free | freebox_pop_firmware | * |
| free | freebox_revolution_firmware | * |
| free | freebox_mini_firmware | * |
| free | freebox_one_firmware | * |