CVE-2021-31643
Description
An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in CHIYU IoT devices' if.cgi username parameter allows remote attackers to inject arbitrary web script.
Vulnerability
An XSS vulnerability exists in the if.cgi component of several CHIYU Technology IoT devices, including SEMAC, Biosense, BF-630, BF-631, and Webpass, due to a lack of sanitization of the username parameter [1]. This allows an attacker to inject arbitrary JavaScript or HTML into the web interface. The affected firmware versions are not explicitly listed, but the vulnerability is present in devices running older firmware [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in the username parameter of if.cgi and tricking a victim into clicking it. No authentication is required to trigger the XSS, as the parameter is processed without proper validation. The victim must be logged into the device's web interface for the script to execute in their session context [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack operates within the security context of the web application, enabling the attacker to perform actions on behalf of the victim [1].
Mitigation
CHIYU Technology has released firmware updates to address this vulnerability; users should update their devices to the latest firmware version available from the vendor's support page [2]. If updating is not immediately possible, restrict network access to the device's web interface to trusted users only. No workaround is provided in the available references [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- CHIYU Technology/IoT devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Lack of input sanitization on the username parameter in if.cgi allows stored XSS injection."
Attack vector
An attacker with low-privileged access sends a crafted HTTP request to the `if.cgi` component containing a malicious XSS payload in the `username` parameter [ref_id=1]. The payload `">
Affected code
The vulnerability resides in the `if.cgi` component, specifically in the `username` parameter. Affected devices include SEMAC, Biosense, BF-630, BF-631, and Webpass from CHIYU Technology [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific remediation code. The vendor recommends installing the latest CHIYU firmware to mitigate the vulnerability [ref_id=1]. No further technical details about the fix are provided in the available references.
Preconditions
- authAttacker must have low-privileged access to the device web interface
- configTarget device must be running an affected firmware version
- networkAttacker must be able to reach the if.cgi endpoint over the network
Reproduction
Send a crafted HTTP request to the `if.cgi` component with a malicious payload in the `username` parameter, such as: `username=">
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devicesmitrex_refsource_MISC
- seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/mitrex_refsource_MISC
- www.chiyu-tech.com/msg/message-Firmware-update-87.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.