CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 2CVE-2009-4197 – Huawei MT882 Modem/Router - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-4197
rpwizPppoe.htm in Huawei MT882 V100R002B020 ARG-T running firmware 3.7.9.98 contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. rpwizPppoe.htm en Huawei MT882 V100R002B020 ARG-T ejecutando el firmware v3.7.9.98 contiene un formulario que no deshabilita la configuración de autocompletado para el parámetro "password", lo que facilita a un usuario local o a un atacante físicamente próximo obtener la contraseña desde navegadores web que soporten el autocompletado. • https://www.exploit-db.com/exploits/10276 http://www.exploit-db.com/exploits/10276 http://www.securityfocus.com/bid/37194 https://exchange.xforce.ibmcloud.com/vulnerabilities/54528 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2009-4196 – Huawei MT882 Modem/Router - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-4196
Multiple cross-site scripting (XSS) vulnerabilities in multiple scripts in Forms/ in Huawei MT882 V100R002B020 ARG-T running firmware 3.7.9.98 allow remote attackers to inject arbitrary web script or HTML via the (1) BackButton parameter to error_1; (2) wzConnFlag parameter to fresh_pppoe_1; (3) diag_pppindex_argen and (4) DiagStartFlag parameters to rpDiag_argen_1; (5) wzdmz_active and (6) wzdmzHostIP parameters to rpNATdmz_argen_1; (7) wzVIRTUALSVR_endPort, (8) wzVIRTUALSVR_endPortLocal, (9) wzVIRTUALSVR_IndexFlag, (10) wzVIRTUALSVR_localIP, (11) wzVIRTUALSVR_startPort, and (12) wzVIRTUALSVR_startPortLocal parameters to rpNATvirsvr_argen_1; (13) Connect_DialFlag, (14) Connect_DialHidden, and (15) Connect_Flag parameters to rpStatus_argen_1; (16) Telephone_select, and (17) wzFirstFlag parameters to rpwizard_1; and (18) wzConnectFlag parameter to rpwizPppoe_1. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en múltiples scripts de la carpeta Forms/ de MT882 V100R002B020 ARG-T ejecutando el firmware v3.7.9.98 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante (1) el parámetro "BackButton" de error_1; (2) el parámetro "wzConnFlag" de fresh_pppoe_1; (3) los parámetros "diag_pppindex_argen" y (4) "DiagStartFlag" de rpDiag_argen_1; (5)) los parámetros "wzdmz_active" y (6) "wzdmzHostIP" de rpNATdmz_argen_1; (7) los parámetros "wzVIRTUALSVR_endPort", (8) "wzVIRTUALSVR_endPortLocal", (9) "wzVIRTUALSVR_IndexFlag", (10) "wzVIRTUALSVR_localIP", (11) "wzVIRTUALSVR_startPort", y (12) "wzVIRTUALSVR_startPortLocal" de rpNATvirsvr_argen_1; (13) los parámetros "Connect_DialFlag", (14) "Connect_DialHidden", y (15) "Connect_Flag" de rpStatus_argen_1; (16) los parámetros "Telephone_select", y (17) "wzFirstFlag" de rpwizard_1; and (18) el parámetro "wzConnectFlag" de rpwizPppoe_1. • https://www.exploit-db.com/exploits/10276 http://www.exploit-db.com/exploits/10276 http://www.securityfocus.com/bid/37194 https://exchange.xforce.ibmcloud.com/vulnerabilities/54526 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •