CHIYU Tech Notifies Customers of XSS Vulnerability (CVE-2021-31641) and Mitigation Steps

CVE ID	Issue Type	Affected Devices	Vulnerable Component / Cause	Impact
CVE-2021-31249	CRLF Injection	BF-430、BF-431、BF-450M	Lack of validation on redirect= parameter in multiple CGI components	Potential HTTP response splitting or log injection
CVE-2021-31250	Stored XSS	BF-430、BF-431、BF-450M	Unsanitized input in man.cgi, if.cgi, dhcpc.cgi, ppp.cgi	Persistent script execution in UI
CVE-2021-31251	Telnet Authentication Bypass	BF-430、BF-431、BF-450M、SEMAC	Specially crafted request tricks Telnet server into assuming user is authenticated	Unauthorized remote access
CVE-2021-31252	Open Redirect	BF-430、BF-431、BF-450M、BF-630、BF-631、BF631-W、BF830-W、Webpass、SEMAC	Crafted URL via redirect parameters	Redirect to malicious external sites
CVE-2021-31642	Denial of Service (Integer Overflow)	BIOSENSE、Webpass、BF-630、BF-631、SEMAC	Unexpected >32-bit integer in page parameter causes crash	Portal crash requiring reboot
CVE-2021-31643	Reflected XSS	SEMAC、Biosense、BF-630、BF-631、Webpass	Unsanitized username parameter in if.cgi	Script injection via malicious link

Input Validation: Apply strict validation and sanitization for all user inputs.
Authentication Security: Secure Telnet or disable if unnecessary.
Output Encoding: Ensure special characters are escaped in web outputs.
Firmware Update: Patch affected firmware to include security fixes.
Limit Exposure: Restrict device access to trusted networks only.

Back

CVE-2021-31641 – Unauthenticated XSS Vulnerability