CVE-2024-45372

MZK-DP300N firmware versions 1.04 and earlier contains a cross-site request forger vulnerability. Viewing a malicious page while logging in to the web management page of the affected product may lead the user to perform unintended operations such as changing the login password, etc.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://jvn.jp/en/jp/JVN81966868/	Third Party Advisory
https://www.planex.co.jp/support/download/mzk-dp300n/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:planex:mzk-dp300n_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:planex:mzk-dp300n:-:*:*:*:*:*:*:*

History

03 Oct 2024, 00:34

Type	Values Removed	Values Added
CPE		cpe:2.3:h:planex:mzk-dp300n:-:::::::* cpe:2.3:o:planex:mzk-dp300n_firmware::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Planex mzk-dp300n Planex mzk-dp300n Firmware Planex
References	~~() https://jvn.jp/en/jp/JVN81966868/ -~~	() https://jvn.jp/en/jp/JVN81966868/ - Third Party Advisory
References	~~() https://www.planex.co.jp/support/download/mzk-dp300n/ -~~	() https://www.planex.co.jp/support/download/mzk-dp300n/ - Product

26 Sep 2024, 13:32

Type	Values Removed	Values Added
Summary		(es) Las versiones de firmware 1.04 y anteriores del MZK-DP300N contienen una vulnerabilidad de cross-site request forgery. Al visualizar una página maliciosa mientras se inicia sesión en la página de administración web del producto afectado, el usuario puede realizar operaciones no deseadas, como cambiar la contraseña de inicio de sesión, etc.

26 Sep 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-26 05:15

Updated : 2025-03-25 16:15

NVD link : CVE-2024-45372

Mitre link : CVE-2024-45372

CVE.ORG link : CVE-2024-45372

JSON object : View

Products Affected

planex

mzk-dp300n_firmware
mzk-dp300n

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-45372", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-09-26T05:15:12.100", "references": [{"url": "https://jvn.jp/en/jp/JVN81966868/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://www.planex.co.jp/support/download/mzk-dp300n/", "tags": ["Product"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "vultures@jpcert.or.jp", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "MZK-DP300N firmware versions 1.04 and earlier contains a cross-site request forger vulnerability. Viewing a malicious page while logging in to the web management page of the affected product may lead the user to perform unintended operations such as changing the login password, etc."}, {"lang": "es", "value": "Las versiones de firmware 1.04 y anteriores del MZK-DP300N contienen una vulnerabilidad de cross-site request forgery. Al visualizar una p\u00e1gina maliciosa mientras se inicia sesi\u00f3n en la p\u00e1gina de administraci\u00f3n web del producto afectado, el usuario puede realizar operaciones no deseadas, como cambiar la contrase\u00f1a de inicio de sesi\u00f3n, etc."}], "lastModified": "2025-03-25T16:15:24.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:planex:mzk-dp300n_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE648DB3-3244-4545-A8A4-0A2AC0D2FBFD", "versionEndIncluding": "1.04"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:planex:mzk-dp300n:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9C32FA46-24FC-4AD4-94F9-0A4D569D19D0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "vultures@jpcert.or.jp"}