CVE-2018-11448

{"id": "CVE-2018-11448", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2018-06-26T18:29:00.697", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-977428.pdf", "tags": ["Third Party Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a stored Cross-Site Scripting (XSS) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires that the attacker has access to the web interface of an affected device. The attacker must be authenticated as administrative user on the web interface. Afterwards, a legitimate user must access the web interface. A successful attack could allow an attacker to execute malicious code in the browser of a legitimate user. At the time of advisory publication no public exploitation of this security vulnerability was known."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en SCALANCE M875 (todas las versiones). La interfaz web en el puerto 443/tcp podr\u00eda permitir un ataque Cross-Site Scripting (XSS) persistente si se enga\u00f1a a un usuario desprevenido para que acceda a un enlace malicioso. Su explotaci\u00f3n con \u00e9xito requiere que el atacante tenga acceso a la interfaz web de un dispositivo afectado. El atacante debe estar autenticado como usuario administrativo en la interfaz web. Despu\u00e9s, un usuario leg\u00edtimo debe acceder a la interfaz web. Un ataque con \u00e9xito podr\u00eda permitir que el atacante ejecute c\u00f3digo malicioso en el navegador de un usuario leg\u00edtimo. En el momento de la publicaci\u00f3n del advisory, no se conoce ninguna explotaci\u00f3n p\u00fablica de la vulnerabilidad de seguridad."}], "lastModified": "2019-10-09T23:33:31.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:siemens:scalance_m875_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "880C1489-FB3E-4697-A266-377A616C6EB5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:siemens:scalance_m875:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "25AFAF4D-2485-4245-BF72-99C5EC471FF4"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "productcert@siemens.com"}