CVE-2019-10085 - OpenCVE

In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Allura

Configuration 1 [-]

cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/108816	Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07%40%3Cdev.allura.apache.org%3E
https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9%40%3Cannounce.apache.org%3E

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2019-06-18T23:07:22

Updated: 2019-06-19T17:06:02

Reserved: 2019-03-26T00:00:00

Link: CVE-2019-10085

JSON object: View

NVD Information

Status : Modified

Published: 2019-06-19T00:15:12.313

Modified: 2023-11-07T03:02:22.630

Link: CVE-2019-10085

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Apache Allura", "vendor": "n/a", "versions": [{"status": "affected", "version": "Apache Allura prior to 1.11.0"}]}], "descriptions": [{"lang": "en", "value": "In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page."}], "problemTypes": [{"descriptions": [{"description": "XSS Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-19T17:06:02", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07%40%3Cdev.allura.apache.org%3E"}, {"name": "108816", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108816"}, {"name": "[announce] 20190618 CVE-2019-10085 Apache Allura XSS vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9%40%3Cannounce.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-10085", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Allura", "version": {"version_data": [{"version_value": "Apache Allura prior to 1.11.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XSS Vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07@%3Cdev.allura.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07@%3Cdev.allura.apache.org%3E"}, {"name": "108816", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108816"}, {"name": "[announce] 20190618 CVE-2019-10085 Apache Allura XSS vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9@%3Cannounce.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-10085", "datePublished": "2019-06-18T23:07:22", "dateReserved": "2019-03-26T00:00:00", "dateUpdated": "2019-06-19T17:06:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*", "matchCriteriaId": "30802C26-70C1-47AC-AE61-3B668E2E0D02", "versionEndExcluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page."}, {"lang": "es", "value": "En Apache Allura en versiones anteriores a la 1.11.0, se presenta una vulnerabilidad de tipo XSS almacenado en el selector desplegable de usuario al crear o editar tickets. El XSS se ejecuta cuando un usuario interact\u00faa con dicho desplegable en esa p\u00e1gina."}], "id": "CVE-2019-10085", "lastModified": "2023-11-07T03:02:22.630", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-19T00:15:12.313", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/108816"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07%40%3Cdev.allura.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9%40%3Cannounce.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}