CVE-2018-1233 - OpenCVE

RSA Authentication Agent version 8.0.1 and earlier for Web for both IIS and Apache Web Server are affected by a cross-site scripting vulnerability. The attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the user's browser session in the context of the affected website.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Rsa	Authentication Agent For Web

Configuration 1 [-]

OR	cpe:2.3:a:rsa:authentication_agent_for_web::::::apache_web_server::*
	cpe:2.3:a:rsa:authentication_agent_for_web::::::iis::*

References

Link	Resource
http://seclists.org/fulldisclosure/2018/Mar/60	Mailing List Third Party Advisory
http://www.securitytracker.com/id/1040577	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2018-03-26T00:00:00

Updated: 2018-03-31T09:57:01

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1233

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-03-30T21:29:01.747

Modified: 2018-04-20T15:06:21.820

Link: CVE-2018-1233

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "RSA Authentication Agent for Web for IIS, RSA Authentication Agent for Web for Apache Web Server", "vendor": "Dell EMC", "versions": [{"status": "affected", "version": "version 8.0.1 and earlier"}]}], "datePublic": "2018-03-26T00:00:00", "descriptions": [{"lang": "en", "value": "RSA Authentication Agent version 8.0.1 and earlier for Web for both IIS and Apache Web Server are affected by a cross-site scripting vulnerability. The attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the user's browser session in the context of the affected website."}], "problemTypes": [{"descriptions": [{"description": "Cross-site Scripting Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-31T09:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "20180326 DSA-2018-040: RSA Authentication Agent for Web for IIS and Apache Web Server Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2018/Mar/60"}, {"name": "1040577", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040577"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-03-26T00:00:00", "ID": "CVE-2018-1233", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RSA Authentication Agent for Web for IIS, RSA Authentication Agent for Web for Apache Web Server", "version": {"version_data": [{"version_value": "version 8.0.1 and earlier"}]}}]}, "vendor_name": "Dell EMC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RSA Authentication Agent version 8.0.1 and earlier for Web for both IIS and Apache Web Server are affected by a cross-site scripting vulnerability. The attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the user's browser session in the context of the affected website."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting Vulnerability"}]}]}, "references": {"reference_data": [{"name": "20180326 DSA-2018-040: RSA Authentication Agent for Web for IIS and Apache Web Server Multiple Vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2018/Mar/60"}, {"name": "1040577", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040577"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1233", "datePublished": "2018-03-26T00:00:00", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2018-03-31T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rsa:authentication_agent_for_web:*:*:*:*:*:apache_web_server:*:*", "matchCriteriaId": "64395674-3183-4B8B-8881-802DEB973FDE", "versionEndIncluding": "8.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rsa:authentication_agent_for_web:*:*:*:*:*:iis:*:*", "matchCriteriaId": "C4DED5D1-72F4-4219-BF7B-78D070C14187", "versionEndIncluding": "8.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RSA Authentication Agent version 8.0.1 and earlier for Web for both IIS and Apache Web Server are affected by a cross-site scripting vulnerability. The attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the user's browser session in the context of the affected website."}, {"lang": "es", "value": "RSA Authentication Agent en versiones 8.0.1 y anteriores para Web para IIS y Apache Web Server se ve afectado por una vulnerabilidad Cross-Site Scripting (XSS). Los atacantes podr\u00edan explotar esta vulnerabilidad para ejecutar HTML o c\u00f3digo JavaScript arbitrarios en la sesi\u00f3n del buscador del usuario, en el contexto de la p\u00e1gina web afectada."}], "id": "CVE-2018-1233", "lastModified": "2018-04-20T15:06:21.820", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-30T21:29:01.747", "references": [{"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2018/Mar/60"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040577"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}