CVE-2018-20816

{"id": "CVE-2018-20816", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-04-05T16:29:00.240", "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/salesagility/SuiteDocs/pull/198/files", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/salesagility/SuiteDocs/pull/198/files", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the \"add dashboard pages\" feature where users can receive a malicious attack through a phished URL, with script executed."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) combinada con una de Cross-Site Request Forgery (CSRF) descubierta en SalesAgility SuiteCRM, en las versiones 7.x anteriores a la 7.8.24, y en las 7.10.x anteriores a la 7.10.11, conduce a un robo de cookies tambi\u00e9n conocido como un secuestro de sesi\u00f3n. Este problema afecta a la funcionalidad \"add dashboard pages\" donde los usuarios pueden recibir un ataque malicioso mediante una URL suplantada con script ejecutado."}], "lastModified": "2024-11-21T04:02:14.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E3B9EBC-42B3-40E0-8CF3-28D6720C2758", "versionEndExcluding": "7.8.24", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FABFA53-0B5C-40B0-8ECA-EEAAC16BC3D1", "versionEndExcluding": "7.10.11", "versionStartIncluding": "7.10.00"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}