cbcvebase.
CVE-2021-31643
published 2021-06-01

CVE-2021-31643: An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization…

PriorityP354medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
88.45%
99.8th percentile
An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter.

Detection & IOCsextracted from sources · hover to see the quote

url/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138
path/if.cgi
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS and Webpass IoT devices CVE-2021-31643"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=EmpRcd.htm"; content:"&username=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3c|"; distance:0; reference:cve,2021-31643; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31643, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_16;)
bytes
|22 3e 3c|script|3e|alert|28|
  • CVE-2021-31643 is a Stored XSS triggered via a GET request to /if.cgi with the 'username' parameter containing an unsanitized script payload; monitor for GET requests to /if.cgi?redirect=EmpRcd.htm with script injection patterns in the username field.
  • The ET rule keys on two sequential URI content matches: '&username=' followed by the hex-encoded bytes for '"><script>alert(' (|22 3e 3c|script|3e|alert|28|) and then ')</script' (|29 3c 2f|script|3c|) at distance:0, providing a precise byte-level detection pattern.
  • Requests carry a Basic Authorization header (Base64-encoded credentials); the SEMAC PoC uses 'Authorization: Basic YWRtaW46YWRtaW4=' (admin:admin), indicating default credentials are used alongside the exploit.
  • Unauthenticated XSS (CVE-2021-31641) is triggered by appending a payload directly after the device IP in the URL, resulting in an HTTP-404 response that reflects the unsanitized input.
  • ·The exploit affects all firmware versions across multiple CHIYU device families; there is no specific firmware version to filter on — all versions are vulnerable.
  • ·The ET Snort rule (sid:2033353) is scoped to perimeter deployment with 'confidence Medium'; tune accordingly if CHIYU devices are only on internal segments.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.