Vulnerabilites related to PLANEX COMMUNICATIONS INC. - MZK-DP300N
CVE-2024-45372 (GCVE-0-2024-45372)
Vulnerability from cvelistv5
Published
2024-09-26 04:06
Modified
2025-03-25 15:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-site request forgery (CSRF)
Summary
MZK-DP300N firmware versions 1.04 and earlier contains a cross-site request forger vulnerability. Viewing a malicious page while logging in to the web management page of the affected product may lead the user to perform unintended operations such as changing the login password, etc.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PLANEX COMMUNICATIONS INC. | MZK-DP300N |
Version: firmware versions 1.04 and earlier |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:37:59.352659Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T15:58:46.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MZK-DP300N",
"vendor": "PLANEX COMMUNICATIONS INC.",
"versions": [
{
"status": "affected",
"version": "firmware versions 1.04 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MZK-DP300N firmware versions 1.04 and earlier contains a cross-site request forger vulnerability. Viewing a malicious page while logging in to the web management page of the affected product may lead the user to perform unintended operations such as changing the login password, etc."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-site request forgery (CSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T04:06:47.174Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.planex.co.jp/support/download/mzk-dp300n/"
},
{
"url": "https://jvn.jp/en/jp/JVN81966868/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-45372",
"datePublished": "2024-09-26T04:06:47.174Z",
"dateReserved": "2024-09-10T06:57:25.565Z",
"dateUpdated": "2025-03-25T15:58:46.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21603 (GCVE-0-2025-21603)
Vulnerability from cvelistv5
Published
2025-01-08 03:30
Modified
2025-01-08 14:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site scripting (XSS)
Summary
Cross-site scripting vulnerability exists in MZK-DP300N firmware versions 1.05 and earlier. If an attacker logs in to the affected product and manipulates the device settings, an arbitrary script may be executed on the logged-in user's web browser when accessing a crafted URL.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PLANEX COMMUNICATIONS INC. | MZK-DP300N |
Version: firmware versions 1.05 and earlier |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:25:15.598070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:26:18.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MZK-DP300N",
"vendor": "PLANEX COMMUNICATIONS INC.",
"versions": [
{
"status": "affected",
"version": "firmware versions 1.05 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in MZK-DP300N firmware versions 1.05 and earlier. If an attacker logs in to the affected product and manipulates the device settings, an arbitrary script may be executed on the logged-in user\u0027s web browser when accessing a crafted URL."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T03:30:50.390Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.planex.co.jp/support/download/mzk-dp300n/"
},
{
"url": "https://jvn.jp/en/jp/JVN57428125/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-21603",
"datePublished": "2025-01-08T03:30:50.390Z",
"dateReserved": "2024-12-27T00:21:54.234Z",
"dateUpdated": "2025-01-08T14:26:18.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62777 (GCVE-0-2025-62777)
Vulnerability from cvelistv5
Published
2025-10-28 04:53
Modified
2025-10-28 20:03
Severity ?
8.8 (High) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 (High) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.7 (High) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of hard-coded credentials
Summary
Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1.07 and earlier, which may allow an attacker within the local network to log in to the affected device via Telnet and execute arbitrary commands.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PLANEX COMMUNICATIONS INC. | MZK-DP300N |
Version: 1.07 and earlier |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T20:03:03.733091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T20:03:14.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MZK-DP300N",
"vendor": "PLANEX COMMUNICATIONS INC.",
"versions": [
{
"status": "affected",
"version": "1.07 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1.07 and earlier, which may allow an attacker within the local network to log in to the affected device via Telnet and execute arbitrary commands."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Use of hard-coded credentials",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T04:53:00.768Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.planex.co.jp/products/mzk-dp300n/"
},
{
"url": "https://jvn.jp/en/jp/JVN00021602/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-62777",
"datePublished": "2025-10-28T04:53:00.768Z",
"dateReserved": "2025-10-22T09:51:31.094Z",
"dateUpdated": "2025-10-28T20:03:14.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2025-000095
Vulnerability from jvndb
Published
2025-10-28 14:04
Modified
2025-10-28 14:04
Severity ?
Summary
MZK-DP300N uses hard-coded credentials
Details
MZK-DP300N provided by PLANEX COMMUNICATIONS INC. contains the following vulnerability.<ul><li>Use of hard-coded credentials (CWE-798) - CVE-2025-62777</li></ul>
Toshiki Iwasaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL |
|---|---|---|
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000095.html",
"dc:date": "2025-10-28T14:04+09:00",
"dcterms:issued": "2025-10-28T14:04+09:00",
"dcterms:modified": "2025-10-28T14:04+09:00",
"description": "MZK-DP300N provided by PLANEX COMMUNICATIONS INC. contains the following vulnerability.\u003cul\u003e\u003cli\u003eUse of hard-coded credentials (CWE-798) - CVE-2025-62777\u003c/li\u003e\u003c/ul\u003e\r\nToshiki Iwasaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000095.html",
"sec:cpe": {
"#text": "cpe:/o:planex:mzk-dp300n",
"@product": "MZK-DP300N",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "8.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000095",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN00021602/index.html",
"@id": "JVN#00021602",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-62777",
"@id": "CVE-2025-62777",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "MZK-DP300N uses hard-coded credentials"
}
jvndb-2024-000101
Vulnerability from jvndb
Published
2024-09-24 15:26
Modified
2024-09-24 15:26
Severity ?
Summary
Multiple vulnerabilities in PLANEX COMMUNICATIONS network devices
Details
Multiple network devices (network cameras and a router) provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below.<ul><li>Cross-site request forgery (CWE-352) - CVE-2024-45372</li><li>Cross-site scripting vulnerability in the web management page (CWE-79) - CVE-2024-45836</li></ul>
CVE-2024-45372
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVE-2024-45836
Ryota Honda, Akihito Takeuchi, Daichi Uezono, Junnosuke Kushibiki, Ryu Kuki, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| ► | Type | URL | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000101.html",
"dc:date": "2024-09-24T15:26+09:00",
"dcterms:issued": "2024-09-24T15:26+09:00",
"dcterms:modified": "2024-09-24T15:26+09:00",
"description": "Multiple network devices (network cameras and a router) provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below.\u003cul\u003e\u003cli\u003eCross-site request forgery (CWE-352) - CVE-2024-45372\u003c/li\u003e\u003cli\u003eCross-site scripting vulnerability in the web management page (CWE-79) - CVE-2024-45836\u003c/li\u003e\u003c/ul\u003e\r\nCVE-2024-45372\r\nKentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.\r\n\r\nCVE-2024-45836\r\nRyota Honda, Akihito Takeuchi, Daichi Uezono, Junnosuke Kushibiki, Ryu Kuki, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000101.html",
"sec:cpe": [
{
"#text": "cpe:/o:planex:cs-qr10",
"@product": "CS-QR10",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
},
{
"#text": "cpe:/o:planex:cs-qr20",
"@product": "CS-QR20",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
},
{
"#text": "cpe:/o:planex:cs-qr22",
"@product": "CS-QR22",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
},
{
"#text": "cpe:/o:planex:cs-qr220",
"@product": "CS-QR220",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
},
{
"#text": "cpe:/o:planex:cs-qr300",
"@product": "CS-QR300",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
},
{
"#text": "cpe:/o:planex:mzk-dp300n",
"@product": "MZK-DP300N",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.1",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000101",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN81966868/index.html",
"@id": "JVN#81966868",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-45372",
"@id": "CVE-2024-45372",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-45836",
"@id": "CVE-2024-45836",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in PLANEX COMMUNICATIONS network devices"
}
jvndb-2025-000001
Vulnerability from jvndb
Published
2025-01-08 17:08
Modified
2025-01-08 17:08
Severity ?
Summary
PLANEX COMMUNICATIONS MZK-DP300N vulnerable to cross-site scripting
Details
MZK-DP300N, wireless LAN router provided by PLANEX COMMUNICATIONS INC., contains a cross-site scripting vulnerability (CWE-79).
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ► | Type | URL | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| ► | Vendor | Product |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000001.html",
"dc:date": "2025-01-08T17:08+09:00",
"dcterms:issued": "2025-01-08T17:08+09:00",
"dcterms:modified": "2025-01-08T17:08+09:00",
"description": "MZK-DP300N, wireless LAN router provided by PLANEX COMMUNICATIONS INC., contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nKentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000001.html",
"sec:cpe": {
"#text": "cpe:/o:planex:mzk-dp300n",
"@product": "MZK-DP300N",
"@vendor": "PLANEX COMMUNICATIONS INC.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000001",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN57428125/index.html",
"@id": "JVN#57428125",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-21603",
"@id": "CVE-2025-21603",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "PLANEX COMMUNICATIONS MZK-DP300N vulnerable to cross-site scripting"
}