CVE-2010-4507
CVE-2010-4507 is a critical-severity vulnerability in Clear Ispot Firmware with a CVSS 2.0 base score of 9.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-352.
Key facts
- Severity: Critical (CVSS 2.0 base score 9.3)
- EPSS exploit prediction: 2% (76th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-352
- Affected product: Clear Ispot Firmware
- Published:
- Last modified:
Description
Multiple cross-site request forgery (CSRF) vulnerabilities on the iSpot 2.0.0.0 R1679, and the ClearSpot 2.0.0.0 R1512 and R1786, with firmware 1.9.9.4 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the cmd parameter in an act_cmd_result action to webmain.cgi, (2) enable remote management via an enable_remote_access act_network_set action to webmain.cgi, (3) enable the TELNET service via an ENABLE_TELNET act_set_wimax_etc_config action to webmain.cgi, (4) enable TELNET sessions via a certain act_network_set action to webmain.cgi, or (5) read arbitrary files via the FILE_PATH parameter in an act_file_download action to upgrademain.cgi.
Frequently asked questions
- What is CVE-2010-4507?
- Multiple cross-site request forgery (CSRF) vulnerabilities on the iSpot 2.0.0.0 R1679, and the ClearSpot 2.0.0.0 R1512 and R1786, with firmware 1.9.9.4 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the cmd parameter in an act_cmd_result action to webmain.cgi, (2) enable remote management via an enable_remote_access act_network_set action to webmain.cgi, (3) enable the TELNET service via an ENABLE_TELNET act_set_wimax_etc_config action to webmain.cgi, (4) enable TELNET sessions via a certain act_network_set action to webmain.cgi, or (5) read arbitrary files via the FILE_PATH parameter in an act_file_download action to upgrademain.cgi.
- How severe is CVE-2010-4507?
- CVE-2010-4507 has a CVSS 2.0 base score of 9.3, rated critical severity.
- Is CVE-2010-4507 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (76th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2010-4507?
- CVE-2010-4507 primarily affects Clear Ispot Firmware. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2010-4507?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2010-4507 published?
- CVE-2010-4507 was published on 2010-12-30 and last updated on 2026-06-16.
References
- http://secunia.com/advisories/42590
- http://www.exploit-db.com/exploits/15728/
- https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt
Affected products (5)
- cpe:2.3:a:clear:ispot_firmware:1.9.9.4:*:*:*:*:*:*:*
- cpe:2.3:h:clear:ispot:2.0.0.0:r1679:*:*:*:*:*:*
- cpe:2.3:a:clear:clearspot_firmware:1.9.9.4:*:*:*:*:*:*:*
- cpe:2.3:h:clear:clearspot:2.0.0.0:r1512:*:*:*:*:*:*
- cpe:2.3:h:clear:clearspot:2.0.0.0:r1786:*:*:*:*:*:*
Other CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities
- CVE-2025-32642 — Critical (CVSS 10.0): Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This…
- CVE-2025-23922 — Critical (CVSS 10.0): Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a…
- CVE-2017-5145 — Critical (CVSS 10.0): An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware…
- CVE-2019-25729 — Critical (CVSS 9.8): PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute…
- CVE-2025-48340 — Critical (CVSS 9.8): Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows…
- CVE-2025-2907 — Critical (CVSS 9.8): The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing…
Browse all CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities →