CVE-2021-39245 — HIGH (7.5)

Vulnerability Description

Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Altus	Nexto Nx3003 Firmware	1.8.11.0
Altus	Nexto Nx3003	-
Altus	Nexto Nx3004 Firmware	1.8.11.0
Altus	Nexto Nx3004	-
Altus	Nexto Nx3005 Firmware	1.8.11.0
Altus	Nexto Nx3005	-
Altus	Nexto Nx3010 Firmware	1.8.3.0
Altus	Nexto Nx3010	-
Altus	Nexto Nx3020 Firmware	1.8.3.0
Altus	Nexto Nx3020	-
Altus	Nexto Nx3030 Firmware	1.8.3.0
Altus	Nexto Nx3030	-
Altus	Nexto Nx5100 Firmware	1.8.11.0
Altus	Nexto Nx5100	-
Altus	Nexto Nx5101 Firmware	1.8.11.0
Altus	Nexto Nx5101	-
Altus	Nexto Nx5110 Firmware	1.1.2.8
Altus	Nexto Nx5110	-
Altus	Nexto Nx5210 Firmware	1.1.2.8
Altus	Nexto Nx5210	-

Related Weaknesses (CWE)

CWE-798

References

https://seclists.org/fulldisclosure/2021/Aug/21ExploitMailing ListThird Party Advisory
https://www.altus.com.br/Vendor Advisory
https://seclists.org/fulldisclosure/2021/Aug/21ExploitMailing ListThird Party Advisory
https://www.altus.com.br/Vendor Advisory

FAQ

What is CVE-2021-39245?

CVE-2021-39245 is a vulnerability with a CVSS score of 7.5 (HIGH). Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX...

How severe is CVE-2021-39245?

CVE-2021-39245 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-39245?

Check the references section above for vendor advisories and patch information. Affected products include: Altus Nexto Nx3003 Firmware, Altus Nexto Nx3003, Altus Nexto Nx3004 Firmware, Altus Nexto Nx3004, Altus Nexto Nx3005 Firmware.