CVE-2016-4845 : Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL-A2.0, HVL

Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL-A2.0, HVL-A3.0, HVL-A4.0, HVL-AT1.0S, HVL-AT2.0, HVL-AT3.0, HVL-AT4.0, HVL-AT2.0A, HVL-AT3.0A, and HVL-AT4.0A devices with firmware before 2.04 allows remote attackers to hijack the authentication of arbitrary users for requests that delete content.

Published 2016-09-24 10:59:01

Updated 2025-04-12 10:46:41

Source JPCERT/CC

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2016-4845

Iodata » Hvl-at4.0a Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-at4.0a_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-at3.0a Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-at3.0a_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-at2.0a Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-at2.0a_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-at4.0 Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-at4.0_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-at3.0 Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-at3.0_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-at2.0 Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-at2.0_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-at1.0s Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-at1.0s_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-a4.0 Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-a4.0_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-a3.0 Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-a3.0_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A
Iodata » Hvl-a2.0 Firmware » Version: 2.03
cpe:2.3:o:iodata:hvl-a2.0_firmware:2.03:*:*:*:*:*:*:*
Matching versions
When used together with: Iodata » Hvl-a » Version: N/A
When used together with: Iodata » Hvl-at » Version: N/A
When used together with: Iodata » Hvl-ata » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2016-4845

EPSS FAQ

5.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-4845

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-4845

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-4845

http://jvn.jp/en/jp/JVN35062083/index.html

JVN#35062083: Multiple I-O DATA Recording Hard disk products vulnerable to cross-site request forgery
Third Party Advisory
http://www.iodata.jp/support/information/2016/hvl-a_csrf/

クロスサイトリクエストフォージェリの脆弱性について | IODATA アイ・オー・データ機器
Vendor Advisory
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000134

JVNDB-2016-000134 - JVN iPedia - 脆弱性対策情報データベース
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/92352

Multiple I-O DATA DEVICE Products CVE-2016-4845 Cross Site Request Forgery Vulnerability

Jump to

Vulnerability Details : CVE-2016-4845

Products affected by CVE-2016-4845

Exploit prediction scoring system (EPSS) score for CVE-2016-4845

CVSS scores for CVE-2016-4845

CWE ids for CVE-2016-4845

References for CVE-2016-4845