CVE-2021-20856
Description
Cross-site scripting (XSS) vulnerability in ELECOM WRH-733GBK and WRH-733GWH routers allows remote authenticated attackers to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in ELECOM WRH-733GBK and WRH-733GWH routers allows remote authenticated attackers to inject arbitrary scripts.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in ELECOM LAN routers WRH-733GBK and WRH-733GWH running firmware versions v1.02.9 and prior. The vulnerability allows an attacker to inject arbitrary scripts via unspecified vectors. The affected models are limited to these two devices with the specified firmware versions [1].
Exploitation
An attacker must be authenticated to the router's management interface. The exact vectors are not disclosed, but the attacker can inject a malicious script that will be executed in the context of the router's web interface. No user interaction beyond the attacker's own authentication is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the router's web interface. This could lead to session hijacking, defacement, or theft of sensitive information displayed on the management pages. The impact is limited to the authenticated session of the victim user.
Mitigation
As of the publication date (2021-12-01), no fixed firmware version has been disclosed in the available references. Users should monitor the vendor's support page for updates. No workaround is provided. The affected devices are not listed on the CISA KEV.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.02.9
- ELECOM CO.,LTD./ELECOM LAN routersv5Range: WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- jvn.jp/en/jp/JVN88993473/index.htmlmitrex_refsource_MISC
- www.elecom.co.jp/news/security/20211130-01/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.