cbcvebase.
CVE-2021-31250
published 2021-06-04

CVE-2021-31250: Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of…

PriorityP278medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.61%
99.6th percentile
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.

Detection & IOCsextracted from sources · hover to see the quote

url/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28{{randstr}}%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY
otherAuthorization: Basic OmFkbWlu
path/if.cgi
path/dhcp.cgi
path/ppp.cgi
path/man.cgi
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=setting.htm"; content:"TF_submask=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033349; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dhcp.cgi?redirect=setting.htm"; content:"TF_hostname=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ppp.cgi?redirect=setting.htm"; content:"TF_servicename=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033351; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/man.cgi?redirect=setting.htm"; content:"TF_port=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
  • Exploit traffic uses HTTP GET with XSS payload injected into TF_submask parameter of /if.cgi; detect body response containing the unescaped alert string
  • Exploit for /if.cgi uses default base64-encoded credentials 'OmFkbWlu' (empty username, password 'admin') in the Authorization header
  • M1 signature: GET to /if.cgi with TF_submask parameter containing hex-encoded XSS payload |22 3e 3c|script|3e|alert|28| ... |29 3c 2f|script|3e|
  • M2 signature: GET to /dhcp.cgi with TF_hostname parameter containing hex-encoded img tag payload |2f 22 3e 3c|img|20|src|3d 22 23 22 3e|
  • M3 signature: GET to /ppp.cgi with TF_servicename parameter containing hex-encoded XSS payload |22 3e 3c|script|3e|alert|28| ... |29 3c 2f|script|3e|
  • M4 signature: GET to /man.cgi with TF_port parameter containing hex-encoded img tag payload |2f 22 3e 3c|img|20|src|3d 22 23 22 3e|
  • All four ET rules classify traffic as web-application-attack targeting Client_Endpoint, deployed at Perimeter; SIDs 2033349–2033352 cover all four vulnerable CGI endpoints
  • ·The Nuclei template uses a single GET request with a hardcoded Authorization header (Basic OmFkbWlu = empty user / 'admin' password); this probe is intrusive and will only confirm the vulnerability if default credentials are in use
  • ·ET rule M2 (sid:2033350) targets /dhcp.cgi but the CVE description and Nuclei template reference dhcpc.cgi — verify the correct endpoint name on the target firmware version before tuning
  • ·ET rules M2 and M4 carry only 'confidence Medium' vs M1's 'confidence High'; consider tuning thresholds accordingly in your NIDS deployment

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.