CVE-2020-13652

An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 before p20200528, 2019R2 before p20200430, and 2020R1 before p20200507. A cross-site scripting (XSS) vulnerability exists in the login menu.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://know.bishopfox.com/advisories/digdash-version-2018	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:digdash:digdash:2018r2:::::::*
	cpe:2.3:a:digdash:digdash:2019r1:::::::*
	cpe:2.3:a:digdash:digdash:2019r2:::::::*

History

No history.

Information

Published : 2020-06-15 19:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-13652

Mitre link : CVE-2020-13652

CVE.ORG link : CVE-2020-13652

JSON object : View

Products Affected

digdash

digdash

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-13652", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-06-15T19:15:10.107", "references": [{"url": "https://know.bishopfox.com/advisories/digdash-version-2018", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 before p20200528, 2019R2 before p20200430, and 2020R1 before p20200507. A cross-site scripting (XSS) vulnerability exists in the login menu."}, {"lang": "es", "value": "Se detect\u00f3 un problema en DigDash versiones 2018R2 anteriores a p20200528, versiones 2019R1 anteriores a p20200421 y versiones 2019R2 anteriores a p20200430. Permite al usuario proporcionar datos que se utilizar\u00e1n para generar el archivo JNLP utilizado por un cliente para obtener la aplicaci\u00f3n Java correcta. Al proporcionar una URL controlada por el atacante, el cliente obtendr\u00e1 un archivo JNLP falso que especifica la instalaci\u00f3n de archivos JAR maliciosos y se ejecutar\u00e1 con todos los privilegios en la computadora del cliente"}], "lastModified": "2020-06-19T20:59:55.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:digdash:digdash:2018r2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A520A09-9D05-4CF8-88D2-77BD62C47AEA"}, {"criteria": "cpe:2.3:a:digdash:digdash:2019r1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4EA7414-EE5A-4ACE-A386-E97EA10534A7"}, {"criteria": "cpe:2.3:a:digdash:digdash:2019r2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1EF8CA72-BF41-4543-9F1C-1B0FF088EECE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}