CVE-2021-3314

{"id": "CVE-2021-3314", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-06-25T16:15:17.203", "references": [{"url": "https://n4nj0.github.io/advisories/oracle-glassfish-reflected-xss/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.gruppotim.it/redteam", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Oracle GlassFish Server 3.1.2.18 and below allows /common/logViewer/logViewer.jsf XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. NOTE: This vulnerability only affects products that are no longer supported by the maintainer"}, {"lang": "es", "value": "** NO COMPATIBLE CUANDO SE ASIGN\u00d3 ** Oracle GlassFish Server versiones 3.1.2.18 y por debajo permite un ataque de tipo XSS en el archivo /common/logViewer/logViewer.jsf. Un usuario malicioso puede causar a un usuario administrador suministrar contenido peligroso a la p\u00e1gina vulnerable, que luego es reflejado de regreso al usuario y es ejecutado por el navegador web. El mecanismo m\u00e1s com\u00fan para suministrar contenido malicioso es incluirlo como par\u00e1metro en una URL que es publicado o es enviado por correo electr\u00f3nico directamente a las v\u00edctimas. NOTA: Esta vulnerabilidad s\u00f3lo afecta a productos que ya no est\u00e1n soportados por el mantenedor"}], "lastModified": "2024-04-11T01:12:42.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:glassfish_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B12E9C-613F-47CD-83F0-0E181A025C9E", "versionEndIncluding": "3.1.2.18"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}