CVE-2013-0126 - Vulnerability Details - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Verizon	Fios Actiontec Mi424wr-gen31 Router Fios Actiontec Mi424wr-gen31 Router Firmware

Configuration 1 [-]

AND

cpe:2.3:o:verizon:fios_actiontec_mi424wr-gen31_router_firmware:40.19.36:*:*:*:*:*:*:*

cpe:2.3:h:verizon:fios_actiontec_mi424wr-gen31_router:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html
http://www.exploit-db.com/exploits/24860/
http://www.kb.cert.org/vuls/id/278204

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2013-03-21T20:00:00Z

Updated: 2024-09-17T03:07:46.127Z

Reserved: 2012-12-06T00:00:00Z

Link: CVE-2013-0126

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-03-21T20:55:01.910

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-0126

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-03-21T20:00:00Z", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#278204", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/278204"}, {"name": "24860", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/24860/"}, {"tags": ["x_refsource_MISC"], "url": "http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2013-0126", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#278204", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/278204"}, {"name": "24860", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/24860/"}, {"name": "http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html", "refsource": "MISC", "url": "http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:18:08.995Z"}, "title": "CVE Program Container", "references": [{"name": "VU#278204", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/278204"}, {"name": "24860", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/24860/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2013-0126", "datePublished": "2013-03-21T20:00:00Z", "dateReserved": "2012-12-06T00:00:00Z", "dateUpdated": "2024-09-17T03:07:46.127Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:verizon:fios_actiontec_mi424wr-gen31_router_firmware:40.19.36:*:*:*:*:*:*:*", "matchCriteriaId": "FE720EF6-5096-4832-BDB6-3A597FD4542E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:verizon:fios_actiontec_mi424wr-gen31_router:-:*:*:*:*:*:*:*", "matchCriteriaId": "74965CFB-C440-4650-B1A0-44F3465171F4", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en index.cgi en el router Verizon FIOS Actiontec MI424WR-GEN3I que permite a atacantes remotos secuestrar la autenticaci\u00f3n de los administradores para peticiones que (1) agregan cuentas administrativas a trav\u00e9s del nombre de usuario y par\u00e1metros user_level o (2) que permiten la administraci\u00f3n remota a trav\u00e9s de los par\u00e1metros is_telnet_primary y is_telnet_secondary."}], "id": "CVE-2013-0126", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-03-21T20:55:01.910", "references": [{"source": "cret@cert.org", "tags": ["Exploit"], "url": "http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html"}, {"source": "cret@cert.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/24860/"}, {"source": "cret@cert.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/278204"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/24860/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/278204"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}