CVE-2018-19922 — MEDIUM (6.1)

Q: How severe is CVE-2018-19922?

CVE-2018-19922 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-19922?

Check the references section above for vendor advisories and patch information. Affected products include: Actiontec C1000A Firmware, Actiontec C1000A.

Vulnerability Description

Persistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to inject arbitrary HTML into the Website Blocking page by inserting arbitrary HTML into the 'TodUrlAdd' URL parameter in a /urlfilter.cmd POST request.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Actiontec	C1000A Firmware	<= cac004-31.30l.95
Actiontec	C1000A	-

Related Weaknesses (CWE)

CWE-79

References

https://github.com/logern5/c1000a_xss/blob/master/README.mdExploitThird Party Advisory
https://github.com/logern5/c1000a_xss/blob/master/README.mdExploitThird Party Advisory

FAQ

What is CVE-2018-19922?

CVE-2018-19922 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Persistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to ...

How severe is CVE-2018-19922?

CVE-2018-19922 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-19922?

Check the references section above for vendor advisories and patch information. Affected products include: Actiontec C1000A Firmware, Actiontec C1000A.