CVE-2024-3141

A reflected cross-site scripting vulnerability exists in Clavister E10 and E80 firewall firmware versions up to 14.00.10. The flaw resides in the Misc Settings page at the endpoint /?Page=Node&OBJ=/System/AdvancedSettings/DeviceSettings/MiscSettings. Multiple parameters, including WatchdogTimerTime, BufFloodRebootTime, MaxPipeUsers, AVCache Lifetime, HTTPipeliningMaxReq, Reassembly MaxConnections, Reassembly MaxProcessingMem, and ScrSaveTime, are not sanitized before being reflected in the response, allowing injection of arbitrary JavaScript.

Exploitation is remote but requires chaining with a CSRF attack. An attacker can craft an HTML form that submits a malicious POST request to the vulnerable endpoint. If a logged-in administrator is tricked into submitting this form (e.g., via a social engineering attack), the injected script executes in the administrator's browser session. This is possible because the application lacks anti-CSRF tokens and does not sufficiently validate the origin of requests [1].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected firewall's web management interface. This could lead to theft of session cookies, modification of device settings, or other unauthorized actions. The vulnerability is classified as low severity (CVSS 2.4) due to the requirement of CSRF and administrative privileges.

Clavister has released firmware version 14.00.11 to fix the issue, available through their official download portal [2]. Users are strongly recommended to upgrade to the latest version. No workarounds have been provided.