CVE-2021-31250
published 2021-06-04CVE-2021-31250: Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of…
PriorityP278medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.61%
99.6th percentile
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
Detection & IOCsextracted from sources · hover to see the quote
url/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28{{randstr}}%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=setting.htm"; content:"TF_submask=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033349; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dhcp.cgi?redirect=setting.htm"; content:"TF_hostname=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ppp.cgi?redirect=setting.htm"; content:"TF_servicename=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033351; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/man.cgi?redirect=setting.htm"; content:"TF_port=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
- →Exploit traffic uses HTTP GET with XSS payload injected into TF_submask parameter of /if.cgi; detect body response containing the unescaped alert string ↗
- →Exploit for /if.cgi uses default base64-encoded credentials 'OmFkbWlu' (empty username, password 'admin') in the Authorization header ↗
- →M1 signature: GET to /if.cgi with TF_submask parameter containing hex-encoded XSS payload |22 3e 3c|script|3e|alert|28| ... |29 3c 2f|script|3e| ↗
- →M2 signature: GET to /dhcp.cgi with TF_hostname parameter containing hex-encoded img tag payload |2f 22 3e 3c|img|20|src|3d 22 23 22 3e| ↗
- →M3 signature: GET to /ppp.cgi with TF_servicename parameter containing hex-encoded XSS payload |22 3e 3c|script|3e|alert|28| ... |29 3c 2f|script|3e| ↗
- →M4 signature: GET to /man.cgi with TF_port parameter containing hex-encoded img tag payload |2f 22 3e 3c|img|20|src|3d 22 23 22 3e| ↗
- →All four ET rules classify traffic as web-application-attack targeting Client_Endpoint, deployed at Perimeter; SIDs 2033349–2033352 cover all four vulnerable CGI endpoints ↗
- ·The Nuclei template uses a single GET request with a hardcoded Authorization header (Basic OmFkbWlu = empty user / 'admin' password); this probe is intrusive and will only confirm the vulnerability if default credentials are in use ↗
- ·ET rule M2 (sid:2033350) targets /dhcp.cgi but the CVE description and Nuclei template reference dhcpc.cgi — verify the correct endpoint name on the target firmware version before tuning ↗
- ·ET rules M2 and M4 carry only 'confidence Medium' vs M1's 'confidence High'; consider tuning thresholds accordingly in your NIDS deployment ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-93wm-fh6p-4cpf: Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of
ghsa_unreviewed·2022-05-24
CVE-2021-31250 [MEDIUM] CWE-79 GHSA-93wm-fh6p-4cpf: Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
VulnCheck
chiyu-tech bf-430_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 5.4
CVE-2021-31250 [MEDIUM] chiyu-tech bf-430_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
chiyu-tech bf-430_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
Affected: chiyu-tech bf-430_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-08&host_type=src&vulnerability=cve-2021-31250; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-11&host_type=sr
Suricata
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1
suricata·2021-07-16·CVSS 5.4
CVE-2021-31250 [MEDIUM] ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=setting.htm"; content:"TF_submask=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033349; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
Suricata
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2
suricata·2021-07-16·CVSS 5.4
CVE-2021-31250 [MEDIUM] ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dhcp.cgi?redirect=setting.htm"; content:"TF_hostname=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
Suricata
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3
suricata·2021-07-16·CVSS 5.4
CVE-2021-31250 [MEDIUM] ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ppp.cgi?redirect=setting.htm"; content:"TF_servicename=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033351; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
Suricata
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4
suricata·2021-07-16·CVSS 5.4
CVE-2021-31250 [MEDIUM] ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4
ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/man.cgi?redirect=setting.htm"; content:"TF_port=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
Nuclei
CHIYU TCP/IP Converter - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2021-31250 [MEDIUM] CHIYU TCP/IP Converter - Cross-Site Scripting
CHIYU TCP/IP Converter - Cross-Site Scripting
CHIYU BF-430, BF-431 and BF-450M TCP/IP Converter devices contain a cross-site scripting vulnerability due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, and ppp.cgi.
Template:
id: CVE-2021-31250
info:
name: CHIYU TCP/IP Converter - Cross-Site Scripting
author: geeknik
severity: medium
description: CHIYU BF-430, BF-431 and BF-450M TCP/IP Converter devices contain a cross-site scripting vulnerability due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, and ppp.cgi.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/https://www.chiyu-tech.com/msg/message-Firmware-update-87.htmhttps://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/https://www.chiyu-tech.com/msg/message-Firmware-update-87.htm
2021-06-04
Published
Exploited in the wild