CVE-2021-31641
Description
An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated XSS vulnerability in several CHIYU IoT devices due to unsanitized HTTP 404 error messages allows attackers to inject arbitrary scripts.
Vulnerability
An unauthenticated cross-site scripting (XSS) vulnerability exists in several CHIYU Technology IoT devices, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC. The vulnerability arises because the HTTP 404 error page does not sanitize user-supplied input, allowing an attacker to inject arbitrary JavaScript or HTML. The affected firmware versions are those prior to the vendor's security update [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By sending a crafted HTTP request that triggers a 404 error with a malicious payload (e.g., a script tag) in the URL, the payload is reflected in the resulting error page and executed in the browser of any user viewing that page. No special network position or user interaction beyond viewing the page is required [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the device's web interface. This can lead to session hijacking, defacement, redirection to malicious sites, or extraction of sensitive information. Since the vulnerability is unauthenticated, any user who accesses the device's web interface can be affected [1].
Mitigation
CHIYU Technology has released firmware updates to address this vulnerability. Users should update their devices to the latest firmware version available from the vendor's support page. No known workarounds exist; applying the patch is the recommended mitigation [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- CHIYU Technology/IoT devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper sanitization of user-supplied input when generating the HTTP 404 error page allows reflected XSS."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to the device, placing a JavaScript payload directly in the URL path — for example, `http://ip/<script>alert(123)</script>` [ref_id=1]. Because the device does not sanitize input when generating the HTTP 404 error page, the script is reflected back to the victim's browser without escaping. The attacker can then socially engineer a victim into visiting the malicious link, achieving cross-site scripting in the context of the device's web interface [CWE-79].
Affected code
The vulnerability resides in the HTTP 404 error page generation of the web server running on CHIYU IoT devices (BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC). The advisory notes that "any argument passed via URL that results in an HTTP-404" is the affected component [ref_id=1]. No specific source file or function name is disclosed in the reference.
What the fix does
The advisory states that "the latest version of the CHIYU firmware should be installed to mitigate this vulnerability" [ref_id=1]. No patch diff is provided in the bundle, so the specific code-level fix is unknown. The remediation presumably involves adding output encoding or sanitization to the HTTP 404 error page handler so that user-supplied input in the URL is escaped before being rendered in the response.
Preconditions
- networkNo authentication required; the device's web interface must be reachable over the network
- inputThe victim must visit the crafted URL (e.g., via social engineering)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devicesmitrex_refsource_MISC
- seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/mitrex_refsource_MISC
- www.chiyu-tech.com/msg/message-Firmware-update-87.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.