CVE-2018-14690 - OpenCVE

An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Subsonic	Subsonic

Configuration 1 [-]

cpe:2.3:a:subsonic:subsonic:6.1.1:*:*:*:*:*:*:*

References

Link	Resource
https://www.bishopfox.com/news/2018/09/subsonic-6-1-1-multiple-vulnerabilities/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-09-21T16:00:00

Updated: 2018-09-21T15:57:01

Reserved: 2018-07-28T00:00:00

Link: CVE-2018-14690

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-09-21T16:29:01.017

Modified: 2018-11-09T14:55:54.977

Link: CVE-2018-14690

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:subsonic:subsonic:6.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "0D1EA39E-CFA6-4FCA-93A2-BA6938702E6B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim."}, {"lang": "es", "value": "Se ha descubierto un problema en Subsonic 6.1.1. La configuraci\u00f3n general se ve afectada por dos vulnerabilidades Cross-Site Scripting (XSS) almacenadas en los par\u00e1metros title y subtitle para generalSettings.view que podr\u00edan usarse para robar informaci\u00f3n de sesi\u00f3n de una v\u00edctima."}], "id": "CVE-2018-14690", "lastModified": "2018-11-09T14:55:54.977", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-21T16:29:01.017", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.bishopfox.com/news/2018/09/subsonic-6-1-1-multiple-vulnerabilities/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}