CVE-2018-1255 - OpenCVE

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Emc	Rsa Identity Governance And Lifecycle

Configuration 1 [-]

OR	cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.1:::::::*
	cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.2:::::::*
	cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.1.0:::::::*

References

Link	Resource
http://seclists.org/fulldisclosure/2018/Jul/46	Mailing List Third Party Advisory
http://www.securitytracker.com/id/1041287	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2018-07-11T00:00:00

Updated: 2018-07-27T09:57:01

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1255

JSON object: View

NVD Information

Status : Modified

Published: 2018-07-13T17:29:00.357

Modified: 2019-10-09T23:38:17.647

Link: CVE-2018-1255

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "RSA Identity Governance and Lifecycle", "vendor": "RSA", "versions": [{"status": "affected", "version": "version 7.0.1, all patch levels"}, {"status": "affected", "version": "version 7.0.2, all patch levels"}, {"status": "affected", "version": "version 7.1.0, all patch levels"}]}], "datePublic": "2018-07-11T00:00:00", "descriptions": [{"lang": "en", "value": "RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Reflected Cross-Site Scripting Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-27T09:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "1041287", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041287"}, {"name": "20180711 DSA-2018-084: RSA Identity Governance and Lifecycle Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2018/Jul/46"}], "source": {"discovery": "UNKNOWN"}, "title": "Reflected Cross-Site Scripting Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-07-11T04:00:00.000Z", "ID": "CVE-2018-1255", "STATE": "PUBLIC", "TITLE": "Reflected Cross-Site Scripting Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RSA Identity Governance and Lifecycle", "version": {"version_data": [{"version_value": "version 7.0.1, all patch levels"}, {"version_value": "version 7.0.2, all patch levels"}, {"version_value": "version 7.1.0, all patch levels"}]}}]}, "vendor_name": "RSA"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Reflected Cross-Site Scripting Vulnerability"}]}]}, "references": {"reference_data": [{"name": "1041287", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041287"}, {"name": "20180711 DSA-2018-084: RSA Identity Governance and Lifecycle Multiple Vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2018/Jul/46"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1255", "datePublished": "2018-07-11T00:00:00", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2018-07-27T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "FD65ECE7-AEC0-4996-AA77-A1394CD10E55", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "5288389E-1322-4441-A295-045E38B22D11", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0E12BFEB-1BFD-49BC-9EAC-B9A7C57B8ABD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser."}, {"lang": "es", "value": "RSA Identity Lifecycle and Governance en versiones 7.0.1, 7.0.2 y 7.1.0 contiene una vulnerabilidad de Cross-Site Scripting (XSS) reflejado. Un atacante remoto no autenticado podr\u00eda explotar esta vulnerabilidad enga\u00f1ando a un usuario de una aplicaci\u00f3n v\u00edctima para que proporcione c\u00f3digo HTML o JavaScript malicioso a una aplicaci\u00f3n web vulnerable, que se devuelve a la v\u00edctima y es ejecutado por el navegador web."}], "id": "CVE-2018-1255", "lastModified": "2019-10-09T23:38:17.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2018-07-13T17:29:00.357", "references": [{"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2018/Jul/46"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041287"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}