NEC UNIVERGE IX Series Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in NEC UNIVERGE IX routers, specifically in versions 9.5 prior to 10.7, 10.8.21 through 10.8.36, 10.9.11 through 10.9.24, 10.10.21 through 10.10.31, and 10.11.6. Additionally, UNIVERGE IX-R/IX-V Series versions 1.3.16 and 1.3.21 are affected. This vulnerability allows an attacker to inject arbitrary scripts that are executed in the user's browser. In the case of UNIVERGE IX series routers, logged-in users can send specially crafted WebGUI messages that execute arbitrary CLI commands on the product.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. For UNIVERGE IX series routers, this could also lead to the execution of arbitrary CLI commands on the device.

Remediation

Users are advised to update to the latest version. For UNIVERGE IX Series, update instructions can be found on the NEC UNIVERGE IX Security Information page. For UNIVERGE IX-R/IX-V Series, refer to the NEC UNIVERGE IX-R/IX-V Security Information page. If an update cannot be applied, disable the WebGUI.