// For flags

CVE-2017-16564

 

Severity Score

5.4
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on Vonage (Grandstream) HT802 devices allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148).

Una vulnerabilidad de Cross-Site Scripting (XSS) persistente en /cgi-bin/config2 en dispositivos Vonage (Grandstream) HT802 permite que usuarios remotos autenticados inyecten scripts web o HTML arbitrarios mediante el campo ID de clase de proveedor DHCP (P148).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-11-06 CVE Reserved
  • 2017-11-06 CVE Published
  • 2023-09-16 EPSS Updated
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grandstream
Search vendor "Grandstream"
Ht802 Firmware
Search vendor "Grandstream" for product "Ht802 Firmware"
--
Affected
in Grandstream
Search vendor "Grandstream"
Ht802
Search vendor "Grandstream" for product "Ht802"
--
Safe