CVE-2018-5411

Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/106209	Third Party Advisory VDB Entry
https://www.kb.cert.org/vuls/id/756913/	US Government Resource Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pixar:tractor:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-12-13 22:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-5411

Mitre link : CVE-2018-5411

CVE.ORG link : CVE-2018-5411

JSON object : View

Products Affected

pixar

tractor

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2018-5411", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2018-12-13T22:29:00.423", "references": [{"url": "http://www.securityfocus.com/bid/106209", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/756913/", "tags": ["US Government Resource", "Third Party Advisory"], "source": "cret@cert.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "cret@cert.org", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable."}, {"lang": "es", "value": "El software Tractor, de Pixar, en versiones 2.2 y anteriores, contiene una vulnerabilidad Cross-Site Scripting (XSS) persistente en el campo que permite a un usuario a\u00f1adir una nota a un nodo existente. La informaci\u00f3n almacenada se muestra cuando un usuario solicita informaci\u00f3n sobre el nodo. Un atacante podr\u00eda insertar JavaScript en este campo note, que luego se guarda y se muestra al usuario. Un atacante podr\u00eda incluir JavaScript que podr\u00eda ejecutarse en el sistema de un usuario autenticado y conducir a redirecciones de sitios web, secuestro de cookies de sesi\u00f3n, ingenier\u00eda social, etc. Como esto se almacena con la informaci\u00f3n sobre el nodo, el resto de usuarios autenticados con acceso a estos datos tambi\u00e9n son vulnerables."}], "lastModified": "2019-10-09T23:41:19.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pixar:tractor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8EB8D266-E03E-4590-8238-FB3A7516B097", "versionEndIncluding": "2.2"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}