CVE-2018-5411

{"id": "CVE-2018-5411", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2018-12-13T22:29:00.423", "references": [{"url": "http://www.securityfocus.com/bid/106209", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/756913/", "tags": ["US Government Resource", "Third Party Advisory"], "source": "cret@cert.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "cret@cert.org", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable."}, {"lang": "es", "value": "El software Tractor, de Pixar, en versiones 2.2 y anteriores, contiene una vulnerabilidad Cross-Site Scripting (XSS) persistente en el campo que permite a un usuario a\u00f1adir una nota a un nodo existente. La informaci\u00f3n almacenada se muestra cuando un usuario solicita informaci\u00f3n sobre el nodo. Un atacante podr\u00eda insertar JavaScript en este campo note, que luego se guarda y se muestra al usuario. Un atacante podr\u00eda incluir JavaScript que podr\u00eda ejecutarse en el sistema de un usuario autenticado y conducir a redirecciones de sitios web, secuestro de cookies de sesi\u00f3n, ingenier\u00eda social, etc. Como esto se almacena con la informaci\u00f3n sobre el nodo, el resto de usuarios autenticados con acceso a estos datos tambi\u00e9n son vulnerables."}], "lastModified": "2019-10-09T23:41:19.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pixar:tractor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8EB8D266-E03E-4590-8238-FB3A7516B097", "versionEndIncluding": "2.2"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}