CVE-2021-31250
MEDIUM EXPLOITED NUCLEICHIYU BF-430, BF-431, and BF-450M Firmware - Stored Cross-Site Scripting in man.cgi, if.cgi, dhcpc.cgi, ppp.cgi
Title source: llmExploitation Summary
CVE-2021-31250 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
Nuclei Templates (1)
CHIYU TCP/IP Converter - Cross-Site Scripting
MEDIUMby geeknik
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/
Exploit, Third Party Advisory x_refsource_misc
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
Vendor Advisory x_refsource_misc
https://www.chiyu-tech.com/msg/message-Firmware-update-87.htm
Scores
CVSS v3
5.4
EPSS
0.7961
EPSS Percentile
99.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2024-04-08
CWE
CWE-79
Status
published
Products (3)
chiyu-tech/bf-430_firmware
chiyu-tech/bf-431_firmware
chiyu-tech/bf-450m_firmware
Published
Jun 04, 2021
Tracked Since
Feb 18, 2026