CVE-2018-4848

Опубликовано: 14 июн. 2018

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). The integrated configuration web server of the affected devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it.

Ссылки

http://www.securityfocus.com/bid/104494
Third Party Advisory
VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-480829.pdf
Third Party Advisory
Vendor Advisory
http://www.securityfocus.com/bid/104494
Third Party Advisory
VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-480829.pdf
Third Party Advisory
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:siemens:scalance_x300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_x300:-:*:*:*:*:*:*:*

Конфигурация 2

Одновременно

cpe:2.3:o:siemens:scalance_x-200_irt_firmware:*:*:*:*:*:*:*:*

Версия до 5.4.1 (исключая)

cpe:2.3:h:siemens:scalance_x-200_irt:-:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:h:siemens:scalance_x-200_firmware:*:*:*:*:*:*:*:*

Версия до 5.2.3 (исключая)

cpe:2.3:h:siemens:scalance_x-200:-:*:*:*:*:*:*:*

EPSS

Процентиль: 54%

0.00311

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-80

CWE-79

Связанные уязвимости

GHSA-9g23-gj69-j9g7

CVSS3: 6.1

github

больше 3 лет назад

A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). The integrated configuration web server of the affected Scalance X Switches could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it.

BDU:2020-00571

CVSS3: 5.8

fstec

больше 7 лет назад

Уязвимость веб-сервера промышленных коммутаторов Siemens SCALANCE X-200, SCALANCE X-200IRT, SCALANCE X-300, позволяющая нарушителю осуществлять межсайтовые сценарные атаки

EPSS

Процентиль: 54%

0.00311

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-80

CWE-79