CVE-2019-13948 - OpenCVE

SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of an IMG element.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Syguestbook A5 Project	Syguestbook A5

Configuration 1 [-]

cpe:2.3:a:syguestbook_a5_project:syguestbook_a5:1.2:*:*:*:*:*:*:*

References

Link	Resource
https://fragrant10.github.io/2019/02/22/SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.html	Exploit Third Party Advisory
https://github.com/fragrant10/fragrant10.github.io/blob/master/_posts/2019-02-22-SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-18T15:56:39

Updated: 2019-07-18T15:56:39

Reserved: 2019-07-18T00:00:00

Link: CVE-2019-13948

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-18T16:15:12.047

Modified: 2019-07-19T03:20:49.503

Link: CVE-2019-13948

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of an IMG element."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-18T15:56:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://fragrant10.github.io/2019/02/22/SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/fragrant10/fragrant10.github.io/blob/master/_posts/2019-02-22-SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13948", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of an IMG element."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://fragrant10.github.io/2019/02/22/SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.html", "refsource": "MISC", "url": "https://fragrant10.github.io/2019/02/22/SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.html"}, {"name": "https://github.com/fragrant10/fragrant10.github.io/blob/master/_posts/2019-02-22-SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md", "refsource": "MISC", "url": "https://github.com/fragrant10/fragrant10.github.io/blob/master/_posts/2019-02-22-SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13948", "datePublished": "2019-07-18T15:56:39", "dateReserved": "2019-07-18T00:00:00", "dateUpdated": "2019-07-18T15:56:39", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:syguestbook_a5_project:syguestbook_a5:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "A3217682-A5E1-4D20-B409-4763D200F7BC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData function in include/functions.php does not properly block XSS payloads, as demonstrated by a crafted use of the onerror attribute of an IMG element."}, {"lang": "es", "value": "SyGuestBook A5 Versi\u00f3n 1.2 permite XSS almacenado porque la funci\u00f3n isValidData en include / functions.php no bloquea adecuadamente las cargas \u00fatiles de XSS, como lo demuestra el uso dise\u00f1ado del atributo onerror de un elemento IMG."}], "id": "CVE-2019-13948", "lastModified": "2019-07-19T03:20:49.503", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-18T16:15:12.047", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fragrant10.github.io/2019/02/22/SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/fragrant10/fragrant10.github.io/blob/master/_posts/2019-02-22-SyGuestBookA5%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}