CVE-2018-19334

{"id": "CVE-2018-19334", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2018-11-20T09:29:03.990", "references": [{"url": "https://chromium.googlesource.com/infra/infra/+/77ef00cb53d90c9d1f984eca434d828de5c167a5", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://medium.com/%40luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549", "source": "cve@mitre.org"}, {"url": "https://www.reddit.com/r/netsec/comments/9yiidf/xssearching_googles_bug_tracker_to_find_out/ea2i7wz/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports."}, {"lang": "es", "value": "Google Monorail en versiones anteriores al 04/05/2018 tiene una vulnerabilidad Cross-Site Search (XS-Search) debido a que las descargas CSV se han visto afectadas por Cross-Site Request Forgery (CSRF) y los c\u00e1lculos de los tiempos de descarga (para las peticiones con un eje no soportado) se pueden emplear para obtener informaci\u00f3n sensible sobre el contenido de los informes de errores."}], "lastModified": "2023-11-07T02:55:31.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:monorail:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61CC9215-9642-4EC6-8142-5B5BB1DEE48C", "versionEndExcluding": "2018-05-04"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}