CVE-2018-7787 - OpenCVE

In Schneider Electric U.motion Builder software versions prior to v1.3.4, this vulnerability is due to improper validation of input of context parameter in HTTP GET request.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	U.motion Builder

Configuration 1 [-]

cpe:2.3:a:schneider-electric:u.motion_builder:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/104447	Third Party Advisory VDB Entry
https://www.schneider-electric.com/en/download/document/SEVD-2018-151-01/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2018-05-31T00:00:00

Updated: 2018-07-04T09:57:01

Reserved: 2018-03-08T00:00:00

Link: CVE-2018-7787

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-03T14:29:01.680

Modified: 2018-08-28T13:45:30.080

Link: CVE-2018-7787

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "U.motion Builder", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "U.motion Builder, all versions prior to 1.3.4"}]}], "datePublic": "2018-05-31T00:00:00", "descriptions": [{"lang": "en", "value": "In Schneider Electric U.motion Builder software versions prior to v1.3.4, this vulnerability is due to improper validation of input of context parameter in HTTP GET request."}], "problemTypes": [{"descriptions": [{"description": "Improper Input Validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-04T09:57:01", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-151-01/"}, {"name": "104447", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104447"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "DATE_PUBLIC": "2018-05-31T00:00:00", "ID": "CVE-2018-7787", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "U.motion Builder", "version": {"version_data": [{"version_value": "U.motion Builder, all versions prior to 1.3.4"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Schneider Electric U.motion Builder software versions prior to v1.3.4, this vulnerability is due to improper validation of input of context parameter in HTTP GET request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-151-01/", "refsource": "CONFIRM", "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-151-01/"}, {"name": "104447", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104447"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2018-7787", "datePublished": "2018-05-31T00:00:00", "dateReserved": "2018-03-08T00:00:00", "dateUpdated": "2018-07-04T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:u.motion_builder:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3DF1942-84D5-480C-96AA-3B03B58D43B5", "versionEndExcluding": "1.3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Schneider Electric U.motion Builder software versions prior to v1.3.4, this vulnerability is due to improper validation of input of context parameter in HTTP GET request."}, {"lang": "es", "value": "En el software de Schneider Electric U.motion Builder en versiones anteriores a la v1.3.4, esta vulnerabilidad se debe a la validaci\u00f3n incorrecta de la entrada del par\u00e1metro context en la petici\u00f3n HTTP GET."}], "id": "CVE-2018-7787", "lastModified": "2018-08-28T13:45:30.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-03T14:29:01.680", "references": [{"source": "cybersecurity@se.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104447"}, {"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-151-01/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}