CVE-2020-7570 - OpenCVE

A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Webreports

Configuration 1 [-]

cpe:2.3:a:schneider-electric:webreports:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2020-315-04/	Patch Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2020-11-19T21:02:22

Updated: 2020-11-19T21:02:22

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7570

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-19T22:15:15.317

Modified: 2022-01-31T19:45:05.003

Link: CVE-2020-7570

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "EcoStruxure Building Operation WebReports V1.9 - V3.1", "vendor": "n/a", "versions": [{"status": "affected", "version": "EcoStruxure Building Operation WebReports V1.9 - V3.1"}]}], "descriptions": [{"lang": "en", "value": "A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-siteScripting Stored)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-19T21:02:22", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-04/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2020-7570", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EcoStruxure Building Operation WebReports V1.9 - V3.1", "version": {"version_data": [{"version_value": "EcoStruxure Building Operation WebReports V1.9 - V3.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-siteScripting Stored)"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2020-315-04/", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-04/"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2020-7570", "datePublished": "2020-11-19T21:02:22", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-11-19T21:02:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:webreports:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFEA3AED-DBEB-4B15-AD56-CEE221637C39", "versionEndIncluding": "3.1", "versionStartIncluding": "1.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de Neutralizaci\u00f3n Inapropiada de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web CWE-79 (Cross-site Scripting Almacenado) en EcoStruxure Building Operation WebReports versiones V1.9 - V3.1 que podr\u00eda hacer que un usuario remoto autenticado pueda inyectar un script web o HTML arbitrario debido a una desinfecci\u00f3n incorrecta de los datos suministrados por el usuario y lograr un ataque de tipo Cross-Site Scripting almacenado contra otros usuarios de WebReport"}], "id": "CVE-2020-7570", "lastModified": "2022-01-31T19:45:05.003", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-19T22:15:15.317", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Product", "Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-04/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cybersecurity@se.com", "type": "Primary"}]}