CVE-2023-22971 - Vulnerability Details - OpenCVE

Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Hughes	Hn7000s Hn7000s Firmware Hn9460 Hn9460 Firmware Hx200 Hx200 Firmware Hx50l Hx50l Firmware Hx90 Hx90 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:hughes:hx200_firmware:8.3.1.14:*:*:*:*:*:*:*

cpe:2.3:h:hughes:hx200:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:hughes:hx90_firmware:6.11.0.5:*:*:*:*:*:*:*

cpe:2.3:h:hughes:hx90:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:hughes:hx50l_firmware:6.10.0.18:*:*:*:*:*:*:*

cpe:2.3:h:hughes:hx50l:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:hughes:hn9460_firmware:8.2.0.48:*:*:*:*:*:*:*

cpe:2.3:h:hughes:hn9460:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:hughes:hn7000s_firmware:6.9.0.37:*:*:*:*:*:*:*

cpe:2.3:h:hughes:hn7000s:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.hughes.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php

History

Fri, 28 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-26T00:00:00.000Z

Updated: 2025-03-28T16:22:41.308Z

Reserved: 2023-01-11T00:00:00.000Z

Link: CVE-2023-22971

Vulnrichment

Updated: 2024-08-02T10:20:31.433Z

NVD

Status : Modified

Published: 2023-01-26T21:18:13.540

Modified: 2025-03-28T17:15:25.170

Link: CVE-2023-22971

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-22971", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-28T16:22:41.308Z", "dateReserved": "2023-01-11T00:00:00.000Z", "datePublished": "2023-01-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-26T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php"}, {"url": "https://www.hughes.com"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.433Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php", "tags": ["x_transferred"]}, {"url": "https://www.hughes.com", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-28T16:21:54.351619Z", "id": "CVE-2023-22971", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T16:22:41.308Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php", "tags": ["x_transferred"]}, {"url": "https://www.hughes.com", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.433Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-22971", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-28T16:21:54.351619Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T16:22:35.116Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php"}, {"url": "https://www.hughes.com"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-26T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-22971", "state": "PUBLISHED", "dateUpdated": "2025-03-28T16:22:41.308Z", "dateReserved": "2023-01-11T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-01-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hughes:hx200_firmware:8.3.1.14:*:*:*:*:*:*:*", "matchCriteriaId": "37079B30-F603-4F83-8029-CBABA1EEB833", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hughes:hx200:-:*:*:*:*:*:*:*", "matchCriteriaId": "EC2B7F70-2C3E-446B-AE22-C989CFBEDC35", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hughes:hx90_firmware:6.11.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "57CF8972-7DA8-4C17-B7F4-1BAE7303BE8D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hughes:hx90:-:*:*:*:*:*:*:*", "matchCriteriaId": "C996F23D-CD89-4D6F-9B50-F752482C4147", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hughes:hx50l_firmware:6.10.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "D8D414B3-A331-4049-8B5D-459690698E27", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hughes:hx50l:-:*:*:*:*:*:*:*", "matchCriteriaId": "DDB89AEF-9F1C-43FA-8E4D-20D424F2ACE6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hughes:hn9460_firmware:8.2.0.48:*:*:*:*:*:*:*", "matchCriteriaId": "A4511DC1-2420-4251-8124-EC65B94AFD40", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hughes:hn9460:-:*:*:*:*:*:*:*", "matchCriteriaId": "78313913-3B7E-4CF7-8006-398B3934C87D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hughes:hn7000s_firmware:6.9.0.37:*:*:*:*:*:*:*", "matchCriteriaId": "50E0765C-2796-47F5-B465-1B5660A6CDB9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hughes:hn7000s:-:*:*:*:*:*:*:*", "matchCriteriaId": "91470E55-2227-489A-BEB5-86C151F32344", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application."}, {"lang": "es", "value": "Vulnerabilidad de cross-site scripting (XSS) en la terminal de router de Hughes Network Systems para HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48 y HN7000S v6.9.0.37, permite a atacantes no autenticados hacer un mal uso de los frames, incluir c\u00f3digo JS/HTML y robar informaci\u00f3n confidencial de usuarios leg\u00edtimos de la aplicaci\u00f3n."}], "id": "CVE-2023-22971", "lastModified": "2025-03-28T17:15:25.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-26T21:18:13.540", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.hughes.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.hughes.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}