What is CVE-2017-9389?

CVE-2017-9389 is a vulnerability found on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices that allows for XSS, command injection, CSRF, and traversal attacks.

What is the severity of CVE-2017-9389?

CVE-2017-9389 has a severity value of 8.8, which is considered critical.

How does CVE-2017-9389 affect Vera VeraEdge and Veralite devices?

CVE-2017-9389 affects Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices by allowing attackers to perform cross-site scripting (XSS), command injection, and cross-site request forgery (CSRF) attacks.

What is the recommended solution for CVE-2017-9389?

To mitigate CVE-2017-9389, it is recommended to update the firmware of Vera VeraEdge and Veralite devices to versions 1.7.20 and 1.7.482 or above.

Where can I find more information about CVE-2017-9389?

You can find more information about CVE-2017-9389 at the following references: [1] http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html [2] https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf [3] https://seclists.org/bugtraq/2019/Jun/8

Vulnerability/
CVE-2017-9389

critical

CWE

287

17/6/2019

20/6/2019

CVE-2017-9389

First published: Mon Jun 17 2019(Updated: )

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interface allows any user to write his/her application in the Lua language. However, this functionality is not protected by authentication and this allows an attacker to run arbitrary Lua code on the device. The POST request is forwarded to LuaUPNP daemon on the device. This binary handles the received Lua code in the function "LU::JobHandler_LuaUPnP::RunLua(LU::JobHandler_LuaUPnP *__hidden this, LU::UPnPActionWrapper *)". The value in the "code" parameter is then passed to the function "LU::LuaInterface::RunCode(char const*)" which actually loads the Lua engine and runs the code.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Getvera Vera Edge Firmware	<=1.7.19
Getvera Vera Edge
VeraLite Firmware	<=1.7.481
MiCasaVerde VeraLite

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2017-9389?
CVE-2017-9389 is a vulnerability found on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices that allows for XSS, command injection, CSRF, and traversal attacks.
What is the severity of CVE-2017-9389?
CVE-2017-9389 has a severity value of 8.8, which is considered critical.
How does CVE-2017-9389 affect Vera VeraEdge and Veralite devices?
CVE-2017-9389 affects Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices by allowing attackers to perform cross-site scripting (XSS), command injection, and cross-site request forgery (CSRF) attacks.
What is the recommended solution for CVE-2017-9389?
To mitigate CVE-2017-9389, it is recommended to update the firmware of Vera VeraEdge and Veralite devices to versions 1.7.20 and 1.7.482 or above.
Where can I find more information about CVE-2017-9389?
You can find more information about CVE-2017-9389 at the following references: [1] http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html [2] https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf [3] https://seclists.org/bugtraq/2019/Jun/8

agent/type
agent/first-publish-date
agent/last-modified-date
agent/weakness
agent/references
agent/severity
agent/author
agent/description
agent/event
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/getvera
canonical/getvera vera edge firmware
version/getvera vera edge firmware/1.7.19
canonical/getvera vera edge
canonical/veralite firmware
version/veralite firmware/1.7.481
canonical/micasaverde veralite