All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0
are vulnerable to reflected cross site scripting (XSS) attacks in the
method parameter. The ETIC RAS web server uses dynamic pages that gets
their input from the client side and reflects the input in its response
to the client.
Advisories
Source ID Title
EUVD EUVD EUVD-2024-23433 All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting (XSS) attacks in the method parameter. The ETIC RAS web server uses dynamic pages that gets their input from the client side and reflects the input in its response to the client.
Fixes

Solution

For all firmware versions 4.5.0 https://www.etictelecom.com/en/softwares-download/ and above, this issue is fixed.


Workaround

To reduce the attack surface in versions prior to 4.5.0, ETIC Telecom advises users to verify in the router configuration that: (1) The administration web page is accessible only through the LAN side over HTTPS, and (2) The administration web page is protected with authentication.

History

Wed, 30 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Etictelecom
Etictelecom remote Access Server Firmware
CPEs cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*
Vendors & Products Etictelecom
Etictelecom remote Access Server Firmware

Tue, 21 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 17 Jan 2025 16:30:00 +0000

Type Values Removed Values Added
Description All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.5.0 are vulnerable to reflected cross site scripting (XSS) attacks in the method parameter. The ETIC RAS web server uses dynamic pages that gets their input from the client side and reflects the input in its response to the client.
Title ETIC Telecom Remote Access Server (RAS) Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-01-21T15:05:56.805Z

Reserved: 2024-02-14T22:03:32.381Z

Link: CVE-2024-26156

cve-icon Vulnrichment

Updated: 2025-01-21T15:05:53.201Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-17T17:15:11.533

Modified: 2025-07-30T17:01:46.600

Link: CVE-2024-26156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.