CVE-2023-34354

Medium

A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A…

talos·CWE-80·Published 2023-10-11

CVSS

5.4

EPSS

0.01

KEV

Exploits

cve.orgen

325 chars

A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.

NVDen

325 chars

NVDes

373 chars

Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenada en la funcionalidad upload_brand.cgi de peplink Surf SOHO HW1 v6.3.5 (en QEMU). Una solicitud HTTP especialmente manipulada puede provocar la ejecución de JavaScript arbitrario en el navegador de otro usuario. Un atacante puede realizar una solicitud HTTP autenticada para desencadenar esta vulnerabilidad.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	NVD	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.1	Primary	cve.org	3.4	—	—	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N