{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26154","assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","state":"PUBLISHED","assignerShortName":"icscert","dateReserved":"2024-02-14T22:03:32.380Z","datePublished":"2025-01-17T16:17:10.899Z","dateUpdated":"2025-01-21T14:56:13.407Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Remote Access Server (RAS)","vendor":"ETIC Telecom","versions":[{"lessThan":"4.5.0","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Haviv Vaizman, Hay Mizrachi, Alik Koldobsky, Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 \nare vulnerable to reflected cross site scripting in the appliance site \nname. The ETIC RAS web server saves the site name and then presents it \nto the administrators in a few different pages."}],"value":"All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 \nare vulnerable to reflected cross site scripting in the appliance site \nname. The ETIC RAS web server saves the site name and then presents it \nto the administrators in a few different pages."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":4.8,"baseSeverity":"MEDIUM","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Cross-site Scripting","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2025-01-17T16:17:10.899Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-22-307-01"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"For all firmware versions <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.etictelecom.com/en/softwares-download/\">4.5.0</a> and above, this issue is fixed."}],"value":"For all firmware versions  4.5.0 https://www.etictelecom.com/en/softwares-download/  and above, this issue is fixed."}],"source":{"advisory":"ICSA-22-307-01","discovery":"EXTERNAL"},"title":"ETIC Telecom Remote Access Server (RAS) Cross-site Scripting","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"For versions prior to 4.5.0, to reduce the attack surface, ETIC Telecom \nadvise the user to verify in the router configuration that: (1) The \nadministration web page is accessible only through the LAN side over \nHTTPS, and (2) The administration web page is protected with \nauthentication.\n\n<br>"}],"value":"For versions prior to 4.5.0, to reduce the attack surface, ETIC Telecom \nadvise the user to verify in the router configuration that: (1) The \nadministration web page is accessible only through the LAN side over \nHTTPS, and (2) The administration web page is protected with \nauthentication."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-01-21T14:55:51.814303Z","id":"CVE-2024-26154","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-01-21T14:56:13.407Z"}}]}}