CVE-2013-4372

Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git%3Ba=commitdiff%3Bh=f5436ea1c5547c851bb6f92561272fe42c146e68
http://fusesource.com/issues/browse/FMC-495	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-1286.html
http://rhn.redhat.com/errata/RHSA-2013-1862.html
http://www.securityfocus.com/bid/62659
https://bugzilla.redhat.com/show_bug.cgi?id=1011736	Patch
https://github.com/jboss-fuse/fuse/commit/e280cb370323eeb759030919d5111ed809e8ded5	Exploit Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:jboss_a-mq:6.0.0:::::::*
	cpe:2.3:a:redhat:jboss_fuse:6.0.0:::::::*

History

13 Feb 2023, 04:46

Type	Values Removed	Values Added
References	{'url': 'http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git;a=commitdiff;h=f5436ea1c5547c851bb6f92561272fe42c146e68', 'name': 'http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git;a=commitdiff;h=f5436ea1c5547c851bb6f92561272fe42c146e68', 'tags': ['Exploit', 'Patch'], 'refsource': 'CONFIRM'}	(MISC) http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git%3Ba=commitdiff%3Bh=f5436ea1c5547c851bb6f92561272fe42c146e68 -

Information

Published : 2013-09-30 21:55

Updated : 2023-12-10 11:16

NVD link : CVE-2013-4372

Mitre link : CVE-2013-4372

CVE.ORG link : CVE-2013-4372

JSON object : View

Products Affected

redhat

jboss_fuse
jboss_a-mq

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2013-4372", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2013-09-30T21:55:07.377", "references": [{"url": "http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git%3Ba=commitdiff%3Bh=f5436ea1c5547c851bb6f92561272fe42c146e68", "source": "secalert@redhat.com"}, {"url": "http://fusesource.com/issues/browse/FMC-495", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1286.html", "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html", "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/62659", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1011736", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "https://github.com/jboss-fuse/fuse/commit/e280cb370323eeb759030919d5111ed809e8ded5", "tags": ["Exploit", "Patch"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en Fuse Management Console en Red Hat JBoss Fuse 6.0.0 anterior al parche 3 y JBoss A-MQ 6.0.0 anterior al parche 3 permite a atacantes remotos inyectar script web o HTML arbitrario a trav\u00e9s de (1) campos de usuario en la p\u00e1gina de creaci\u00f3n de usuarios o (2) en la versi\u00f3n de perfil de la p\u00e1gina de creaci\u00f3n de perfiles."}], "lastModified": "2023-02-13T04:46:49.323", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33C4404A-CFB7-4B47-9487-F998825C31CA"}, {"criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}