Vulnerability in multiple Yamaha routers-firmware update released

Vulnerabilities have been revealed in multiple Yamaha routers. A firmware update is available.

According to JVN, a portal site for vulnerability information, "RTX1210", "RTX830", "NVR700W", and "NVR510" have a "cross-site script inclusion (XSSI)" vulnerability "CVE-2021-20843", The "HTTP Response Header Injection" vulnerability "CVE-2021-20844" has been revealed.

If you access a malicious page while logged in to the web management screen, your settings may be changed or your information may be stolen. The base scores of the Common Vulnerability Scoring System "CVSSv3.1" are rated as "4.8" and "3.7" respectively.

These vulnerabilities were reported to the JPCERT Coordination Center by Mr. Masatsugu Baba of Yerae Security, and the center coordinated the publication.

Yamaha has released firmware "RTX1210 Rev.14.01.40", "RTX830 Rev.15.02.20", "NVR700W Rev.15.00.22" and "NVR510 Rev.15.01.21" that fixed the vulnerability. They also announced workarounds such as disabling the HTTP server.

(Security NEXT - 2021/11/09) Tweet

Related Links

PR

Related Articles

Vulnerability 'cr8escape' in container engine 'CRI-O' - Symantec ITMS agent patch released Google publishes "Chrome 99.0.4844.74", a privilege escalation vulnerability - Fixes a serious vulnerability "OpenSSL" may be vulnerable to DoS attacks - Update released 4 vulnerabilities in "Apache httpd" - Update releasedmacOS `` iOS 15.4 '' has been fixed with an update, and face authentication is possible even when wearing a mask-fixes 39 vulnerabilities ``Dirty Pipe'', a privilege escalation vulnerability in the Linux kernel-PoC is also published SAP, Released 11 new monthly security patches -Vulnerability with severity level "Hot News" also vulnerable to wireless VPN router made by NEC Platforms