CVE-2018-13001

{"id": "CVE-2018-13001", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2018-06-29T14:29:00.260", "references": [{"url": "https://www.vulnerability-lab.com/get_content.php?id=2122", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS issue was discovered in Sandoba CP:Shop v2016.1. The vulnerability is located in the `admin.php` file of the `./cpshop/` module. Remote attackers are able to inject their own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is non-persistent and the request method to inject/execute is GET with the path, search, rename, or dir parameter."}, {"lang": "es", "value": "Se ha descubierto un problema de Cross-Site Scripting (XSS) en Sandoba CP:Shop v2016.1. La vulnerabilidad se encuentra en el archivo \"admin.php\" del m\u00f3dulo \"./cpshop/\". Los atacantes remotos pueden inyectar sus propios c\u00f3digos script en los par\u00e1metros de aplicaciones web vulnerables solicitados desde el lado del cliente. El vector de ataque de la vulnerabilidad no es persistente y el m\u00e9todo de petici\u00f3n para inyectar/ejecutar es GET con los par\u00e1metros path, search, rename o dir."}], "lastModified": "2018-08-20T11:58:59.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sandoba:cp\\:\\:shop:2016.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "284BB394-46EA-4E85-AD3C-65432CC72D6C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}