CVE-2020-35741

HGiga MailSherlock does not validate user parameters on multiple login pages. Attackers can use the vulnerability to inject JavaScript syntax for XSS attacks.

CVSS v3 7.0 HIGH
CVSS v2.0 4.3 MEDIUM

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-4260-ba376-1.html	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-4260-ba376-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hgiga:msr45_isherlock-antispam::::::::
	cpe:2.3:a:hgiga:msr45_isherlock-user::::::::
	cpe:2.3:a:hgiga:ssr45_isherlock-antispam::::::::
	cpe:2.3:a:hgiga:ssr45_isherlock-user::::::::

History

21 Nov 2024, 05:27

Type	Values Removed	Values Added
CVSS	v2 : ~~4.3~~ v3 : ~~6.1~~	v2 : 4.3 v3 : 7.0
References	~~() https://www.twcert.org.tw/tw/cp-132-4260-ba376-1.html - Third Party Advisory~~	() https://www.twcert.org.tw/tw/cp-132-4260-ba376-1.html - Third Party Advisory

Information

Published : 2020-12-31 08:15

Updated : 2024-11-21 05:27

NVD link : CVE-2020-35741

Mitre link : CVE-2020-35741

CVE.ORG link : CVE-2020-35741

JSON object : View

Products Affected

hgiga

ssr45_isherlock-user
ssr45_isherlock-antispam
msr45_isherlock-antispam
msr45_isherlock-user

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-35741", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-12-31T08:15:13.660", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-4260-ba376-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-4260-ba376-1.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "HGiga MailSherlock does not validate user parameters on multiple login pages. Attackers can use the vulnerability to inject JavaScript syntax for XSS attacks."}, {"lang": "es", "value": "HGiga MailSherlock no comprueba los par\u00e1metros de usuario en m\u00faltiples p\u00e1ginas de inicio de sesi\u00f3n. Unos atacantes pueden usar la vulnerabilidad para inyectar la sintaxis de JavaScript para ataques de tipo XSS."}], "lastModified": "2024-11-21T05:27:59.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hgiga:msr45_isherlock-antispam:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E5B5E25-BC65-49E2-9865-9BC9A4DE98F0", "versionEndExcluding": "4.5-133"}, {"criteria": "cpe:2.3:a:hgiga:msr45_isherlock-user:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F203F7FA-9E30-49AD-956C-5E893B1264A4", "versionEndExcluding": "4.5-120"}, {"criteria": "cpe:2.3:a:hgiga:ssr45_isherlock-antispam:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAAA3F24-7821-4F5A-A64E-EEA30B269DD2", "versionEndExcluding": "4.5-133"}, {"criteria": "cpe:2.3:a:hgiga:ssr45_isherlock-user:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE0FEDEB-2C43-4C45-800A-9323146DC214", "versionEndExcluding": "4.5-120"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}