CVE-2019-1010247 - OpenCVE

ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Openidc	Mod Auth Openidc

Configuration 1 [-]

cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b	Patch Third Party Advisory
https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2	Release Notes Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-19T14:13:56

Updated: 2020-07-29T23:06:11

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010247

JSON object: View

NVD Information

Status : Modified

Published: 2019-07-19T15:15:12.063

Modified: 2023-05-25T20:18:46.990

Link: CVE-2019-1010247

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "mod_auth_openidc", "vendor": "ZmartZone IAM", "versions": [{"status": "affected", "version": "2.3.10.1 and earlier [fixed: 2.3.10.2]"}]}], "descriptions": [{"lang": "en", "value": "ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2."}], "problemTypes": [{"descriptions": [{"description": "Cross Site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-29T23:06:11", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b"}, {"tags": ["x_refsource_MISC"], "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt"}, {"name": "[debian-lts-announce] 20190823 [SECURITY] [DLA 1894-1] libapache2-mod-auth-openidc security", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html"}, {"name": "[debian-lts-announce] 20200729 [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010247", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mod_auth_openidc", "version": {"version_data": [{"version_value": "2.3.10.1 and earlier [fixed: 2.3.10.2]"}]}}]}, "vendor_name": "ZmartZone IAM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2", "refsource": "MISC", "url": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2"}, {"name": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b", "refsource": "MISC", "url": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b"}, {"name": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt", "refsource": "MISC", "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt"}, {"name": "[debian-lts-announce] 20190823 [SECURITY] [DLA 1894-1] libapache2-mod-auth-openidc security", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html"}, {"name": "[debian-lts-announce] 20200729 [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"}]}}}}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010247", "datePublished": "2019-07-19T14:13:56", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2020-07-29T23:06:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EC27208-2C72-4228-BFD4-9BFCBA66A9A8", "versionEndExcluding": "2.3.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2."}, {"lang": "es", "value": "IAM mod_auth_openidc versi\u00f3n 2.3.10.1 y anteriores de ZmartZone, est\u00e1 afectado por: Vulnerabilidad de tipo Cross-Site Scripting (XSS). El impacto es: Redireccionar al usuario a una p\u00e1gina de phishing o interactuar con la aplicaci\u00f3n en nombre del usuario. El componente es: Archivo: src/mod_auth_openidc.c, L\u00ednea: 3109. La versi\u00f3n corregida es: 2.3.10.2."}], "id": "CVE-2019-1010247", "lastModified": "2023-05-25T20:18:46.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-19T15:15:12.063", "references": [{"source": "josh@bress.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b"}, {"source": "josh@bress.net", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2"}, {"source": "josh@bress.net", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html"}, {"source": "josh@bress.net", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"}, {"source": "josh@bress.net", "tags": ["Third Party Advisory"], "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}