CVE-2017-3890 - OpenCVE

A reflected cross-site scripting vulnerability in the BlackBerry WatchDox Server components Appliance-X, version 1.8.1 and earlier, and vAPP, versions 4.6.0 to 5.4.1, allows remote attackers to execute script commands in the context of the affected browser by persuading a user to click an attacker-supplied malicious link.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Blackberry	Workspaces Vapp Appliance-x

Configuration 1 [-]

cpe:2.3:a:blackberry:appliance-x:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:blackberry:workspaces_vapp:4.6.0:::::::*
	cpe:2.3:a:blackberry:workspaces_vapp:5.4.1:::::::*

References

Link	Resource
http://support.blackberry.com/kb/articleDetail?articleNumber=000038915	Vendor Advisory
http://www.securityfocus.com/bid/95442	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: blackberry

Published: 2017-01-13T09:00:00

Updated: 2017-01-17T10:57:01

Reserved: 2016-12-21T00:00:00

Link: CVE-2017-3890

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-01-13T09:59:00.497

Modified: 2021-04-22T21:18:37.010

Link: CVE-2017-3890

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "BlackBerry WatchDox Server", "vendor": "n/a", "versions": [{"status": "affected", "version": "BlackBerry WatchDox Server"}]}], "datePublic": "2017-01-13T00:00:00", "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting vulnerability in the BlackBerry WatchDox Server components Appliance-X, version 1.8.1 and earlier, and vAPP, versions 4.6.0 to 5.4.1, allows remote attackers to execute script commands in the context of the affected browser by persuading a user to click an attacker-supplied malicious link."}], "problemTypes": [{"descriptions": [{"description": "cross-site scripting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-01-17T10:57:01", "orgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c", "shortName": "blackberry"}, "references": [{"name": "95442", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95442"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000038915"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@blackberry.com", "ID": "CVE-2017-3890", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BlackBerry WatchDox Server", "version": {"version_data": [{"version_value": "BlackBerry WatchDox Server"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reflected cross-site scripting vulnerability in the BlackBerry WatchDox Server components Appliance-X, version 1.8.1 and earlier, and vAPP, versions 4.6.0 to 5.4.1, allows remote attackers to execute script commands in the context of the affected browser by persuading a user to click an attacker-supplied malicious link."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "cross-site scripting"}]}]}, "references": {"reference_data": [{"name": "95442", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95442"}, {"name": "http://support.blackberry.com/kb/articleDetail?articleNumber=000038915", "refsource": "CONFIRM", "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000038915"}]}}}}, "cveMetadata": {"assignerOrgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c", "assignerShortName": "blackberry", "cveId": "CVE-2017-3890", "datePublished": "2017-01-13T09:00:00", "dateReserved": "2016-12-21T00:00:00", "dateUpdated": "2017-01-17T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:blackberry:appliance-x:*:*:*:*:*:*:*:*", "matchCriteriaId": "ADC9816C-3AF1-416C-BC8A-63BFCC67A57D", "versionEndIncluding": "1.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:blackberry:workspaces_vapp:4.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E3A603A1-4BB1-469C-8DB1-75D62189655E", "vulnerable": true}, {"criteria": "cpe:2.3:a:blackberry:workspaces_vapp:5.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "6D46EFB9-56E8-4CB2-B0D5-82A1DF6530D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting vulnerability in the BlackBerry WatchDox Server components Appliance-X, version 1.8.1 and earlier, and vAPP, versions 4.6.0 to 5.4.1, allows remote attackers to execute script commands in the context of the affected browser by persuading a user to click an attacker-supplied malicious link."}, {"lang": "es", "value": "Una vulnerabilidad de secuencias de comandos en sitios cruzados reflejada en los componentes de BlackBerry WatchDox Server Appliance-X versi\u00f3n 1.8.1 y anteriores y vAPP versiones 4.6.0 hasta 5.4.1, permite a atacantes remotos ejecutar secuencias de comandos en el contexto del navegador afectado persuadiendo a un usuario a hacer clic en un enlace malicioso proporcionado por el atacante."}], "id": "CVE-2017-3890", "lastModified": "2021-04-22T21:18:37.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-13T09:59:00.497", "references": [{"source": "secure@blackberry.com", "tags": ["Vendor Advisory"], "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000038915"}, {"source": "secure@blackberry.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95442"}], "sourceIdentifier": "secure@blackberry.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}