CVE-2019-14478

AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose "Display Name" contains an XSS payload.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://compass-security.com/fileadmin/Research/Advisories/2020-12_CSNC-2019-013_AdRem_NetCrunch_Cross-Site_Scripting_XSS.txt	Exploit Third Party Advisory
https://www.adremsoft.com/support/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:adremsoft:netcrunch:10.6.0.4587:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-12-16 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2019-14478

Mitre link : CVE-2019-14478

CVE.ORG link : CVE-2019-14478

JSON object : View

Products Affected

adremsoft

netcrunch

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2019-14478", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2020-12-16T17:15:12.890", "references": [{"url": "https://compass-security.com/fileadmin/Research/Advisories/2020-12_CSNC-2019-013_AdRem_NetCrunch_Cross-Site_Scripting_XSS.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.adremsoft.com/support/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose \"Display Name\" contains an XSS payload."}, {"lang": "es", "value": "AdRem NetCrunch versi\u00f3n 10.6.0.4587, presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en el cliente web NetCrunch. Los datos de entrada del usuario no son codificados apropiadamente cuando han sido devueltos al usuario. Estos datos pueden ser interpretados como c\u00f3digo ejecutable por el navegador y permite a un atacante ejecutar c\u00f3digo JavaScript en el contexto del navegador del usuario si la v\u00edctima abre o busca un nodo cuyo \"Display Name\" contiene una carga \u00fatil de tipo XSS"}], "lastModified": "2020-12-17T16:32:03.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:adremsoft:netcrunch:10.6.0.4587:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41BEC585-2FD8-49F7-87D6-566361EDB4D6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}