CVE-2019-15701

{"id": "CVE-2019-15701", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-08-27T18:15:11.217", "references": [{"url": "https://github.com/BloodHoundAD/BloodHound/issues/267", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/BloodHoundAD/BloodHound/issues/267", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands (by spawning a child process as the current user on the victim's machine) when the search function's autocomplete feature is used. The victim must import data from an Active Directory with a GPO containing JavaScript in its name."}, {"lang": "es", "value": "components/Modals/HelpModal.jsx en BloodHound 2.2.0 permite a los atacantes remotos ejecutar comandos de sistema operativo arbitrarios (generando un proceso secundario como el usuario actual en el equipo de la v\u00edctima) cuando se utiliza la funci\u00f3n de autocompletar de la funci\u00f3n de b\u00fasqueda. La v\u00edctima debe importar datos de un Active Directory con un GPO que contenga JavaScript en su nombre."}], "lastModified": "2024-11-21T04:29:17.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bloodhound_project:bloodhound:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B883763-6DDB-4C8D-8ABA-669F35FC0D05"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}