CVE-2017-18358

{"id": "CVE-2017-18358", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-01-15T16:29:00.383", "references": [{"url": "https://blog.ripstech.com/2018/limesurvey-persistent-xss-to-code-execution/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/LimeSurvey/LimeSurvey/commit/700b20e2ae918550bfbf283f433f07622480978b", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel."}, {"lang": "es", "value": "LimeSurvey en versiones anteriores a la 2.72.4 tiene Cross-Site Scripting (XSS) persistente mediante el uso de la caracter\u00edstica \"Continue Later\" (tambi\u00e9n conocida como \"Resume later\") para introducir una direcci\u00f3n de correo electr\u00f3nico, que se gestiona de manera incorrecta en el panel de administraci\u00f3n."}], "lastModified": "2019-01-24T15:42:47.710", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "56AE5B70-097C-4DF2-A709-FEF829B35F7D", "versionEndExcluding": "2.72.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}