CVE-2024-34577: Cross-site scripting vulnerability exists in WRC-X3000GS2-B, WRC-X3000GS2-W, WRC-X3000GS2A-B and WRC-X3000G...
Cross-site scripting vulnerability exists in WRC-X3000GS2-B, WRC-X3000GS2-W, WRC-X3000GS2A-B and WRC-X3000GST2-B due to improper processing of input values in easysetup.cgi. If a user views a malicious web page while logged in to the product, an arbitrary script may be executed on the user's web browser.
Security readout for executives and security teams
Plain-English summary
This issue affects several ELECOM Wi-Fi router models. A logged-in administrator who visits a malicious web page could have script run in their browser against the router management session. Business risk is moderate because exploitation requires an authenticated user and user interaction, but it could expose or alter limited router management data.
Executive priority
Treat this as a moderate operational security item. Prioritize remediation where affected routers manage business networks or are administered by users who browse the internet from the same browser session.
Technical view
CVE-2024-34577 is a CWE-79 cross-site scripting flaw in easysetup.cgi. Affected firmware includes WRC-X3000GS2-B/W and WRC-X3000GS2A-B v1.08 and earlier, and WRC-X3000GST2-B v1.06 and earlier. CVSS 3.1 is 4.6 with network access, low complexity, low privileges, required user interaction, and low confidentiality and integrity impact.
Likely exposure
Exposure is limited to organizations or users running the named ELECOM router models at the affected firmware versions. Risk increases when administrators remain logged in to the router web interface while browsing untrusted pages.
Exploitation context
The supplied sources do not show CISA KEV listing or active exploitation. The described attack requires a logged-in product user to view a malicious web page, causing arbitrary script execution in that user’s browser.
Researcher notes
Evidence supports reflected or stored XSS-style impact in easysetup.cgi, but the bundle does not specify exact parameters, fixed versions, or proof-of-concept details. No CPEs are provided in the affected product records.
Mitigation direction
Inventory the named ELECOM router models and firmware versions.
Review ELECOM and JVN guidance for fixed firmware or vendor mitigations.
Limit router administration to trusted management networks.
Avoid browsing untrusted sites while logged in to the router interface.
End router admin sessions immediately after configuration work.
Validation and detection
Confirm whether any affected ELECOM model is deployed.
Record firmware versions and compare them with the affected version ranges.
Review administrative access paths to the router web interface.
Check whether administrators use separate browser sessions for router management.
Track vendor advisories for remediation status and update instructions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.