CVE-2017-6864 - OpenCVE

The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow an authenticated user to perform stored Cross-Site Scripting attacks.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Siemens	Ruggedcom Rox I

Configuration 1 [-]

cpe:2.3:o:siemens:ruggedcom_rox_i:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/97170	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038160
https://ics-cert.us-cert.gov/advisories/ICSA-17-087-01
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: siemens

Published: 2017-03-29T01:00:00

Updated: 2017-07-11T09:57:01

Reserved: 2017-03-13T00:00:00

Link: CVE-2017-6864

JSON object: View

NVD Information

Status : Modified

Published: 2017-03-29T01:59:02.720

Modified: 2017-07-12T01:29:19.097

Link: CVE-2017-6864

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "RUGGEDCOM ROX I All versions", "vendor": "n/a", "versions": [{"status": "affected", "version": "RUGGEDCOM ROX I All versions"}]}], "datePublic": "2017-03-28T00:00:00", "descriptions": [{"lang": "en", "value": "The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow an authenticated user to perform stored Cross-Site Scripting attacks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-07-11T09:57:01", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"name": "97170", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97170"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf"}, {"name": "1038160", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038160"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-087-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2017-6864", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RUGGEDCOM ROX I All versions", "version": {"version_data": [{"version_value": "RUGGEDCOM ROX I All versions"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow an authenticated user to perform stored Cross-Site Scripting attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "97170", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97170"}, {"name": "https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf", "refsource": "CONFIRM", "url": "https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf"}, {"name": "1038160", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038160"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-087-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-087-01"}]}}}}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2017-6864", "datePublished": "2017-03-29T01:00:00", "dateReserved": "2017-03-13T00:00:00", "dateUpdated": "2017-07-11T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:ruggedcom_rox_i:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE0398E8-031B-4072-A3A5-BF3A2A361AAB", "versionEndIncluding": "2.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow an authenticated user to perform stored Cross-Site Scripting attacks."}, {"lang": "es", "value": "El servidor web integrado en Siemens RUGGEDCOM ROX I (todas las versiones) en el puerto 10000/TCP podr\u00eda permitir a un usuario autenticado realizar ataques de env\u00edo de secuencias de comandos en sitios cruzados almacenados."}], "id": "CVE-2017-6864", "lastModified": "2017-07-12T01:29:19.097", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-29T01:59:02.720", "references": [{"source": "productcert@siemens.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97170"}, {"source": "productcert@siemens.com", "url": "http://www.securitytracker.com/id/1038160"}, {"source": "productcert@siemens.com", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-087-01"}, {"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-327980.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "productcert@siemens.com", "type": "Secondary"}]}