CVE-2019-19393

{"id": "CVE-2019-19393", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-10-01T17:15:13.057", "references": [{"url": "https://github.com/miguelhamal/CVE-2019-19393", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.rittal.us/monitoring-security/cmc-iii.html", "tags": ["Broken Link", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/miguelhamal/CVE-2019-19393", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.rittal.us/monitoring-security/cmc-iii.html", "tags": ["Broken Link", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the content is always displayed after and before login. Persistent XSS allows an attacker to modify displayed content or to change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or a hijacked session."}, {"lang": "es", "value": "La aplicaci\u00f3n Web de los dispositivos Rittal CMC PU III 7030.000 versiones V3.00, V3.11.00_2 hasta V3.15.70_4, no sanea la entrada del usuario en la p\u00e1gina system configurations. Esto permite a un atacante hacer una puerta trasera en el dispositivo con HTML y contenido interpretado por el navegador (como JavaScript u otros scripts del lado del cliente) ya que el contenido es siempre mostrado antes y despu\u00e9s del inicio de sesi\u00f3n. Una vulnerabilidad de tipo XSS persistente permite a un atacante modificar el contenido mostrado o cambiar la informaci\u00f3n de la v\u00edctima. Una explotaci\u00f3n con \u00e9xito requiere acceso a la interfaz de administraci\u00f3n web, ya sea con credenciales v\u00e1lidas o una sesi\u00f3n secuestrada"}], "lastModified": "2024-11-21T04:34:42.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:rittal:cmc_pu_iii_7030.000_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6543A85E-D583-4845-8708-A9014E76D411", "versionEndIncluding": "3.15.70_4", "versionStartIncluding": "3.11.00_2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:rittal:cmc_pu_iii_7030.000:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8DC10999-2CB2-4607-9D48-3047B09502BB", "versionEndIncluding": "6.01", "versionStartIncluding": "3.00"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}