CVE-2021-27659 - OpenCVE

exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Johnsoncontrols	Exacqvision Web Service

Configuration 1 [-]

cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01	Third Party Advisory US Government Resource
https://us-cert.gov/ics/advisories	Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jci

Published: 2021-06-24T00:00:00

Updated: 2021-06-30T15:25:00

Reserved: 2021-02-24T00:00:00

Link: CVE-2021-27659

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-06-24T14:15:09.673

Modified: 2021-09-20T18:48:19.517

Link: CVE-2021-27659

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "exacqVision Web Service", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "21.03", "status": "affected", "version": "All versions up to and including 21.03", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Milan Kyselica, Roman Stevanak"}], "datePublic": "2021-06-24T00:00:00", "descriptions": [{"lang": "en", "value": "exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-30T15:25:00", "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01"}], "solutions": [{"lang": "en", "value": "Upgrade all previous versions of exacqVision Web Service to the latest version of 21.06.\n\nCurrent users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php. \n"}], "source": {"discovery": "EXTERNAL"}, "title": "exacqVision Web Service CSS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productsecurity@jci.com", "DATE_PUBLIC": "2021-06-24T06:00:00.000Z", "ID": "CVE-2021-27659", "STATE": "PUBLIC", "TITLE": "exacqVision Web Service CSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "exacqVision Web Service", "version": {"version_data": [{"version_affected": "<=", "version_name": "All versions up to and including 21.03", "version_value": "21.03"}]}}]}, "vendor_name": "Johnson Controls"}]}}, "credit": [{"lang": "eng", "value": "Milan Kyselica, Roman Stevanak"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "refsource": "CONFIRM", "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01"}]}, "solution": [{"lang": "en", "value": "Upgrade all previous versions of exacqVision Web Service to the latest version of 21.06.\n\nCurrent users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php. \n"}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "cveId": "CVE-2021-27659", "datePublished": "2021-06-24T00:00:00", "dateReserved": "2021-02-24T00:00:00", "dateUpdated": "2021-06-30T15:25:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B1A2AD4-3256-4D13-88C7-865C3ED843EA", "versionEndIncluding": "21.03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}, {"lang": "es", "value": "exacqVision Web Service versi\u00f3n 21.03 no combrueba, filtra, escapa y/o codifica suficientemente la entrada controlable por el usuario antes de colocarla en la salida que se utiliza como p\u00e1gina web que es servida a otros usuarios"}], "id": "CVE-2021-27659", "lastModified": "2021-09-20T18:48:19.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2021-06-24T14:15:09.673", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01"}, {"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.gov/ics/advisories"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}