CVE-2021-31250
Description
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple stored XSS vulnerabilities in CHIYU BF-430, BF-431, and BF-450M TCP/IP Converter devices allow attackers to inject malicious scripts via unsanitized input on CGI components.
Vulnerability
Multiple stored cross-site scripting (XSS) vulnerabilities exist in CHIYU Technology BF-430, BF-431, and BF-450M TCP/IP Converter devices due to insufficient sanitization of user-supplied input on the CGI components man.cgi, if.cgi, dhcpc.cgi, and ppp.cgi. The affected parameters include TF_submask (in if.cgi), TF_hostname (in dhcpc.cgi), TF_servicename (in ppp.cgi), and TF_port (in man.cgi). All firmware versions prior to the vendor's fix are vulnerable [1].
Exploitation
An attacker with network access to the device's web interface and valid credentials can inject a crafted XSS payload into any of the listed parameters. The payload is stored on the device and executed when an administrator or other user views the affected page. Proof-of-concept payloads include "> and /""> [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, redirection to malicious websites, or other client-side attacks. Because the XSS is stored, the malicious script persists and can affect multiple users who access the compromised interface [1].
Mitigation
CHIYU Technology recommends installing the latest firmware version to remediate this vulnerability. No specific fixed version number is provided in the available reference. Users should contact the vendor for updated firmware and apply it as soon as possible [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- CHIYU Technology Inc/TCP/IP Converter devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Lack of input sanitization on CGI parameters allows stored cross-site scripting."
Attack vector
An attacker with network access to the device can inject a specially crafted XSS payload into parameters such as TF_submask (if.cgi), TF_hostname (dhcpc.cgi), TF_servicename (ppp.cgi), or TF_port (man.cgi). [ref_id=1] Because the application does not sanitize these inputs before storing and later rendering them, the injected script executes in the browser of any user who views the affected page. [ref_id=1] The attacker can then steal session cookies or redirect victims to a malicious web page. [ref_id=1]
Affected code
The vulnerability exists in the CGI components man.cgi, if.cgi, dhcpc.cgi, and ppp.cgi on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc. [ref_id=1]
What the fix does
The advisory does not provide a patch diff or code-level fix. [ref_id=1] The recommended mitigation is to install the latest version of the CHIYU firmware, which presumably adds input sanitization to the affected CGI components. [ref_id=1]
Preconditions
- networkAttacker must have network access to the affected CHIYU device's web interface
- inputAttacker must be able to send HTTP requests to the CGI components (man.cgi, if.cgi, dhcpc.cgi, ppp.cgi)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devicesmitrex_refsource_MISC
- seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/mitrex_refsource_MISC
- www.chiyu-tech.com/msg/message-Firmware-update-87.htmmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.