CVE-2019-13931

A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow for an an attacker to craft the input in a form that is not expected, causing the application to behave in unexpected ways for legitimate users. Successful exploitation requires for an attacker to be authenticated to the web interface. A successful attack could cause the application to have unexpected behavior. This could allow the attacker to modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:xhq:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:25

Type	Values Removed	Values Added
References	~~() https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf - Vendor Advisory~~	() https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf - Vendor Advisory

Information

Published : 2019-12-12 19:15

Updated : 2024-11-21 04:25

NVD link : CVE-2019-13931

Mitre link : CVE-2019-13931

CVE.ORG link : CVE-2019-13931

JSON object : View

Products Affected

siemens

xhq

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2019-13931", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2019-12-12T19:15:14.827", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-80"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow for an an attacker to craft the input in a form that is not expected, causing the application to behave in unexpected ways for legitimate users. Successful exploitation requires for an attacker to be authenticated to the web interface. A successful attack could cause the application to have unexpected behavior. This could allow the attacker to modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en XHQ (Todas las versiones anteriores a V6.0.0.2). La interfaz web podr\u00eda permitir a un atacante crear la entrada de una forma que no es esperada, causando que la aplicaci\u00f3n se comporte de manera inesperada para los usuarios leg\u00edtimos. Una explotaci\u00f3n con \u00e9xito requiere que un atacante se autentique en la interfaz web. Un ataque con \u00e9xito podr\u00eda causar que la aplicaci\u00f3n tenga un comportamiento inesperado. Esto podr\u00eda permitir al atacante modificar el contenido de la aplicaci\u00f3n web. Al momento de la publicaci\u00f3n del aviso, no era conocida la explotaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad."}], "lastModified": "2024-11-21T04:25:43.303", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:xhq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "180ADD9E-93A2-44CC-A8BB-AA481EDFFAB8", "versionEndExcluding": "6.0.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}