CVE-2021-20844
MEDIUMYamaha RTX830, NVR510, NVR700W, RTX1210 Firmware - Authenticated Information Disclosure via HTTP Header Injection
Title source: llmDescription
Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page.
References (4)
Core 4
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://www.ntt-west.co.jp/smb/kiki_info/info/211109.html
Mitigation, Vendor Advisory x_refsource_misc
https://business.ntt-east.co.jp/topics/2021/11_09.html
Mitigation, Vendor Advisory x_refsource_misc
http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/JVNVU91161784.html
Mitigation, Third Party Advisory x_refsource_misc
https://jvn.jp/en/vu/JVNVU91161784/index.html
Scores
CVSS v3
5.7
EPSS
0.0093
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-116
Status
published
Products (8)
ntt-west/biz_box_nvr510_firmware
< 15.01.18
ntt-west/biz_box_nvr700w_firmware
< 15.00.19
ntt-west/biz_box_rtx1210_firmware
< 14.01.38
ntt-west/biz_box_rtx830_firmware
< 15.02.17
yamaha/nvr510_firmware
< 15.01.18
yamaha/nvr700w_firmware
< 15.00.19
yamaha/rtx1210_firmware
< 14.01.38
yamaha/rtx830_firmware
< 15.02.17
Published
Nov 24, 2021
Tracked Since
Feb 18, 2026