CVE-2022-28816

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://cert.vde.com/en/advisories/VDE-2022-029/	Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2022-029/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gavazziautomation:cpy_car_park_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:edp:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:edp:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:security_enhanced:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:security_enhanced:*:*:*:*:*

History

21 Nov 2024, 06:57

Type	Values Removed	Values Added
References	~~() https://cert.vde.com/en/advisories/VDE-2022-029/ - Third Party Advisory~~	() https://cert.vde.com/en/advisories/VDE-2022-029/ - Third Party Advisory

Information

Published : 2022-09-28 14:15

Updated : 2024-11-21 06:57

NVD link : CVE-2022-28816

Mitre link : CVE-2022-28816

CVE.ORG link : CVE-2022-28816

JSON object : View

Products Affected

gavazziautomation

uwp_3.0_monitoring_gateway_and_controller
uwp_3.0_monitoring_gateway_and_controller_firmware
cpy_car_park_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-28816", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "info@cert.vde.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2022-09-28T14:15:10.743", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-029/", "tags": ["Third Party Advisory"], "source": "info@cert.vde.com"}, {"url": "https://cert.vde.com/en/advisories/VDE-2022-029/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service."}, {"lang": "es", "value": "En Carlo Gavazzi UWP versi\u00f3n 3.0 en m\u00faltiples versiones y CPY Car Park Server en versi\u00f3n 2.8.3, el Proxy Sentilo es propenso a un ataque de tipo XSS reflejado que solo afecta al servicio Sentilo"}], "lastModified": "2024-11-21T06:57:59.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gavazziautomation:cpy_car_park_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E670508-7A94-4A01-9C2B-51E82D5A861F", "versionEndExcluding": "2.8.3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14B2D9AB-2D19-4AD6-A049-CDB6814CC8D0", "versionEndExcluding": "8.5.0.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "90DBF492-5F3A-4F53-ACFC-59F89470D632"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:edp:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BFC1445-995C-44F7-BE85-E0C1D462573E", "versionEndExcluding": "8.5.0.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:edp:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C7900CB8-560F-4DD7-82B9-8226A8F5F5CC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:security_enhanced:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6584CB1-FA0B-468D-AA58-F2D2F33763AA", "versionEndExcluding": "8.5.0.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:security_enhanced:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B29F6465-3533-4B50-B436-4DC4E6F1B361"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "info@cert.vde.com"}