CVE-2021-20680
Description
Multiple NEC Aterm devices contain a reflected XSS vulnerability allowing remote attackers to inject arbitrary script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple NEC Aterm devices contain a reflected XSS vulnerability allowing remote attackers to inject arbitrary script or HTML via unspecified vectors.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in multiple NEC Aterm devices, including models WG1900HP2 (firmware Ver.1.3.1 and earlier), WG1900HP (Ver.2.5.1 and earlier), WG1800HP4 (Ver.1.3.1 and earlier), WG1800HP3 (Ver.1.5.1 and earlier), WG1200HS2 (Ver.2.5.0 and earlier), WG1200HP3 (Ver.1.3.1 and earlier), WG1200HP2 (Ver.2.5.0 and earlier), W1200EX (Ver.1.3.1 and earlier), W1200EX-MS (Ver.1.3.1 and earlier), as well as all firmware versions of WG1200HS, WG1200HP, WF800HP, WF300HP2, WR8165N, W500P, and W300P. The vulnerability is due to improper neutralization of user input, allowing an attacker to inject arbitrary script or HTML via unspecified vectors [1].
Exploitation
An attacker can exploit this vulnerability remotely by persuading a user to access a specially crafted URL, which would then execute the injected script or HTML in the context of the affected device's web management interface. The attack requires user interaction (e.g., clicking a link) and network access to the victim [1].
Impact
Successful exploitation allows an attacker to execute arbitrary script or HTML in the user's browser, potentially leading to disclosure of session information, manipulation of web content, or other actions within the context of the device's management interface. The CVSS v3 base score is 6.1 (Medium), indicating moderate impact on confidentiality and integrity [1].
Mitigation
For models WG1900HP2, WG1900HP, WG1800HP4, WG1200HS3, WG1200HS2, WG1200HP3, WG1200HP2, W1200EX, and W1200EX-MS, users should update firmware to the latest version provided by the developer [1]. For WG1800HP3, a fixed firmware will be released later; until then, users should apply workarounds such as using bookmarked URLs, closing the browser after management tasks, and deleting stored credentials [1]. For models WG1200HS, WG1200HP, WF800HP, WF300HP2, WR8165N, W500P, and W300P, no updated firmware is planned, so users should implement the same workarounds and consider upgrading to supported devices [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <= Ver.1.3.1
- Range: <= Ver.1.3.1
- NEC Corporation/NEC Aterm devicesv5Range: Aterm WG1900HP2 firmware Ver.1.3.1 and earlier, Aterm WG1900HP firmware Ver.2.5.1 and earlier, Aterm WG1800HP4 firmware Ver.1.3.1 and earlier, Aterm WG1800HP3 firmware Ver.1.5.1 and earlier, Aterm WG1200HS2 firmware Ver.2.5.0 and earlier, Aterm WG1200HP3 firmware Ver.1.3.1 and earlier, Aterm WG1200HP2 firmware Ver.2.5.0 and earlier, Aterm W1200EX firmware Ver.1.3.1 and earlier, Aterm W1200EX-MS firmware Ver.1.3.1 and earlier, Aterm WG1200HS firmware all versions Aterm WG1200HP firmware all versions Aterm WF800HP firmware all versions Aterm WF300HP2 firmware all versions Aterm WR8165N firmware all versions Aterm W500P firmware all versions, and Aterm W300P firmware all versions
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- jpn.nec.com/security-info/secinfo/nv21-008.htmlmitrex_refsource_MISC
- jvn.jp/en/jp/JVN67456944/index.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.