mailing list archives
Stored Cross-site Scripting ('XSS') in Airvana HubBub C1-600-RT Femtocell
From: scott.behrens () neohapsis com
Date: Wed, 27 Feb 2013 15:09:05 GMT
Advisory ID: NEOCAN-2013-002
Advisory Title: Stored XSS ('cross-site scripting') in Airvana HubBub C1-600-RT router
Author: Scott Behrens / Scott.Behrens () Neohapsis com
Release Date: 02/27/2013
Application: Airrave 2.5 router administration page
Platform: Web Application
Vendor status: No response from vendor
CVE Number: CVE-2013-2270
A stored cross-site scripting vulnerability was discovered in the Airrave 2.5 router. An attacker that exploits this
that the victim is authenticated to the device.
Vendor was contacted first via email on January 17th, 2013. Researcher did not receive a response when using the
'online form' which was the only publically available email on the companys website.
Vendor was then contacted via telephone on the following dates: January 25th, February 7th, February 12th. A 'support
operator' filed the ticket and informed the researcher a technician would call them back. No technician ever followed
up to the calls.
Ensure data controlled input is html encoded or escaped. Perform content filtering on user control data for special
characters or symbols.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues:
These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security
Common Weakness Enumeration (CWE) Information:
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
--------Neohapsis Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research () neohapsis com
NeohapsisVulnerability Research GPG Key:
Copyright (c) 2013 Neohapsis
- Stored Cross-site Scripting ('XSS') in Airvana HubBub C1-600-RT Femtocell scott . behrens (Feb 28)