NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Secure Issue M4300, M4250 - API Mass Assignment
Hi,
I have now purchased some Netgear products for NAV Extron application. However, during inspection, several security vulnerabilities were found related to the web administration interface of the switches, including models like XSM4328FV, GSM4230PX, GSM4328S, and GS728TPv3, especially high-risk issues such as API Mass Assignment, which I have not been able to resolve on my own.
Details: (scan by HCL AppScan)
Issue: API Mass Assignment
Severity: High
CVSS Score: 7.3
URL: https://192.168.0.241:4443/api/v1/login
Entity: login (Page)
Risk: API Mass Assignment exploitation may leads to privilege escalation, data tampering, bypass of security mechanisms
Cause: API endpoints are vulnerable to Mass Assignment if they automatically converts client provided data into internal object
properties without considering the sensitivity and the exposure level of these properties.
Fix: Avoid using functions that automatically bind client's input to code variables or internal objects.If applicable, explicitly define
and enforce schema's for the input data payloads.
Reasoning: The test result seems to indicate a vulnerability because the Test Response is successful (returns 200 OK), indicating
that the Application/API access is successful.
Attached is the report detailing these security vulnerabilities.
Can anyone help me to fix it?
3 Replies
This report was created by HCL AppScan Standard 10.5.1
Hi conglv,
Welcome to the NETGEAR Community! 🙂
If not yet done, I suggest to update first to the latest firmware and run the scan again. If issue persist please do contact Netgear support team so a case can be created.
https://www.netgear.com/about/contact-us/
Have a lovely day,
RennaD
Netgear Team
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
