Login
Start Free Trial
Research Center
CVE-2021-31641 Research Center

CVE-2021-31641

An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated.

  • 6.1 high severity

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

  • 01/06/2021

Operating Systems 15

BF

BF-630 Firmware

by Chiyu-Tech

1 Version

2 years ago

Se

Semac S2 Firmware

by Chiyu-Tech

1 Version

2 years ago

Se

Semac D1 Firmware

by Chiyu-Tech

1 Version

2 years ago

Se

Semac D2 Firmware

by Chiyu-Tech

1 Version

2 years ago

Se

Semac D4 Firmware

by Chiyu-Tech

1 Version

2 years ago

Se

Semac S3V3 Firmware

by Chiyu-Tech

1 Version

2 years ago

Se

Semac D2 N300 Firmware

by Chiyu-Tech

1 Version

2 years ago

Se

Semac S1 Osdp Firmware

by Chiyu-Tech

1 Version

2 years ago

We

Webpass Firmware

by Chiyu-Tech

1 Version

2 years ago

BF

BF-430 Firmware

by Chiyu-Tech

4 Versions

2 years ago

Vulnerability Categories 1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

xTags 3

#easy_to_exploit
#known_vulnerability
#user_interaction_required_for_exploiting

Advisory Links 4

https://www.chiyu-tech.com/msg/message-Firmware-update-87.html
https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/#.YLY_lXmSlPY
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641
http://packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html
http://www.vicarius.io is owned and operated by Vicarius Ltd. (the ā€œCompanyā€). All information contained on the Website is purely for informational, and educational purposes and should be independently verified and confirmed. Vicarius does not accept any liability for any loss or damage whatsoever caused in reliance upon such information or services. No statements or information presented in any form by Vicarius is intended as fact, and you agree that you will not consider the statements or information presented on the Website as fact or as a guarantee of performance.

Related CVEs

Security Research Topics

By Vicarius Cartoons
Apr 12, 2023

Vicarius Cartoons Presents: IT Passover

By David Parkinson Frost
Mar 27, 2023

Acropalypse wreaking havoc, zero-days in Samsung Exynos, Emotet returns (again)

By Vicarius Cartoons
Feb 14, 2023

Vicarius Cartoons Presents: Cupid's Exploit

By Paul Lighter
Jan 11, 2023

When the Target is Also the Threat

A software failure grounded thousands of flights today, raising a complicated question - how do you secure an unstable system? The answer has never been more urgent.
By Paul Lighter
Jan 06, 2023

The Uncomfortable Implications of the LastPass Attack

The recent attack on LastPass has people questioning if they can trust password managers. But there's a bigger issue lurking underneath - can you trust ANY security vendor?
last_chanse_04.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Start Free Trial!