Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser. This is a different vulnerability from CVE-2018-0665.

Published : 2019-01-09 23:29 Updated : 2019-02-11 14:16

CVSS Score More info
Score 5.2 / 10
Vendor Product Version URI
Yamaha Nvr500 Firmware rev.11.00.36 cpe:/o:yamaha:nvr500_firmware:rev.11.00.36
Yamaha Rt57i Firmware rev.8.00.95 cpe:/o:yamaha:rt57i_firmware:rev.8.00.95
Yamaha Rt58i Firmware rev.9.01.51 cpe:/o:yamaha:rt58i_firmware:rev.9.01.51
Yamaha Rtx810 Firmware rev.11.01.31 cpe:/o:yamaha:rtx810_firmware:rev.11.01.31
  1. Yamaha (4) Search CVE
    1. Rt58i Firmware (1) Search CVE
      1. Rev.9.01.51
    2. Nvr500 Firmware (1) Search CVE
      1. Rev.11.00.36
    3. Rtx810 Firmware (1) Search CVE
      1. Rev.11.01.31
    4. Rt57i Firmware (1) Search CVE
      1. Rev.8.00.95


ID Name Description Links
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. CVE

History of changes

Date Event
2019-02-11 14:16
2019-01-09 23:29