CVE-2019-3602 - OpenCVE

Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mcafee	Network Security Manager

Configuration 1 [-]

OR	cpe:2.3:a:mcafee:network_security_manager::::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:-::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_1::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_2::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_3::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_4::::::

References

Link	Resource
http://www.securityfocus.com/bid/108400
https://kc.mcafee.com/corporate/index?page=content&id=SB10281

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: trellix

Published: 2019-05-15T15:47:03

Updated: 2019-05-21T14:06:08

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3602

JSON object: View

NVD Information

Status : Modified

Published: 2019-05-15T16:29:00.613

Modified: 2023-11-07T03:09:59.120

Link: CVE-2019-3602

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "McAfee Network Security Manager (NSM)", "vendor": "McAfee, LLC", "versions": [{"lessThan": "9.1 update 5 (9.1.7.77)", "status": "affected", "version": "9.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Cross Site Scripting (XSS) vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-21T14:06:08", "orgId": "01626437-bf8f-4d1c-912a-893b5eb04808", "shortName": "trellix"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281"}, {"name": "108400", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108400"}], "source": {"discovery": "EXTERNAL"}, "title": "Cross site scripting vulnerability in McAfee NSM impacting authenticated users", "x_generator": {"engine": "Vulnogram 0.0.6"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@mcafee.com", "ID": "CVE-2019-3602", "STATE": "PUBLIC", "TITLE": "Cross site scripting vulnerability in McAfee NSM impacting authenticated users"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "McAfee Network Security Manager (NSM)", "version": {"version_data": [{"version_affected": "<", "version_name": "9.1", "version_value": "9.1 update 5 (9.1.7.77)"}]}}]}, "vendor_name": "McAfee, LLC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML."}]}, "generator": {"engine": "Vulnogram 0.0.6"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Scripting (XSS) vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281"}, {"name": "108400", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108400"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808", "assignerShortName": "trellix", "cveId": "CVE-2019-3602", "datePublished": "2019-05-15T15:47:03", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2019-05-21T14:06:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcafee:network_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "03CBDCA3-BCF0-41CE-84A7-321414F47808", "versionEndExcluding": "9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:-:*:*:*:*:*:*", "matchCriteriaId": "67838E30-EBD3-4D97-8395-45435C14ECE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_1:*:*:*:*:*:*", "matchCriteriaId": "A05388ED-A6AC-4D24-BA05-D5DC64F3BFA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_2:*:*:*:*:*:*", "matchCriteriaId": "5BEB32F8-601A-4663-8D92-B933AF8DD3C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_3:*:*:*:*:*:*", "matchCriteriaId": "BA150F4C-EDFD-4E53-BE45-B0D0BA73323F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_4:*:*:*:*:*:*", "matchCriteriaId": "67E9A510-DBD6-493E-8C4A-0A9AA96351F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML."}, {"lang": "es", "value": "Vulnerabilidad de tipo Cross Site Scripting (XSS) en Network Security Manager (NSM) de McAfee anterior de la versi\u00f3n 9.1 actualizaci\u00f3n 5, permite a un administrador autenticado insertar un XSS en la interfaz del administrador por medio de una regla personalizada especialmente creada con contenido HTML."}], "id": "CVE-2019-3602", "lastModified": "2023-11-07T03:09:59.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "trellixpsirt@trellix.com", "type": "Secondary"}]}, "published": "2019-05-15T16:29:00.613", "references": [{"source": "trellixpsirt@trellix.com", "url": "http://www.securityfocus.com/bid/108400"}, {"source": "trellixpsirt@trellix.com", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281"}], "sourceIdentifier": "trellixpsirt@trellix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}