CVE-2021-42856 - OpenCVE

It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Riverbed	Steelcentral Appinternals Dynamic Sampling Agent

Configuration 1 [-]

OR	cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent::::::::
	cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent::::::::
	cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:10.0.0:::::::*

References

Link	Resource
https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GovTech CSG

Published: 2022-02-23T00:00:00

Updated: 2022-03-09T16:51:56

Reserved: 2021-10-25T00:00:00

Link: CVE-2021-42856

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-10T17:44:07.997

Modified: 2022-03-15T16:41:20.987

Link: CVE-2021-42856

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "SteelCentral AppInternals Dynamic Sampling Agent", "vendor": "Aternity", "versions": [{"status": "affected", "version": "10.x"}, {"lessThan": "12.13.0", "status": "affected", "version": "12.13.0", "versionType": "custom"}, {"lessThan": "11.8.8", "status": "affected", "version": "11.8.8", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Darrel Huang, Bjorn Lim, Leng Kang Hao from Government Technology Agency of Singapore"}], "datePublic": "2022-02-23T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T16:51:56", "orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856"}], "source": {"discovery": "INTERNAL"}, "title": "Reflected Cross-site Scripting at DsaDataTest", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve_disclosure@tech.gov.sg", "DATE_PUBLIC": "2022-02-23T10:30:00.000Z", "ID": "CVE-2021-42856", "STATE": "PUBLIC", "TITLE": "Reflected Cross-site Scripting at DsaDataTest"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SteelCentral AppInternals Dynamic Sampling Agent", "version": {"version_data": [{"version_affected": "<", "version_name": "12.13.0", "version_value": "12.13.0"}, {"version_affected": "<", "version_name": "11.8.8", "version_value": "11.8.8"}, {"version_affected": "=", "version_name": "10.x", "version_value": "10.x"}]}}]}, "vendor_name": "Aternity"}]}}, "credit": [{"lang": "eng", "value": "Darrel Huang, Bjorn Lim, Leng Kang Hao from Government Technology Agency of Singapore"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856", "refsource": "CONFIRM", "url": "https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856"}]}, "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "assignerShortName": "GovTech CSG", "cveId": "CVE-2021-42856", "datePublished": "2022-02-23T00:00:00", "dateReserved": "2021-10-25T00:00:00", "dateUpdated": "2022-03-09T16:51:56", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA9EBF00-4071-41C0-B05A-D942ACAB5F1A", "versionEndExcluding": "11.8.8", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "021DA9F8-778D-485D-9F4C-395A44F1DFC7", "versionEndExcluding": "12.13.0", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:10.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0564060-A159-41DD-B5F0-C7212F1891E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability."}, {"lang": "es", "value": "Se ha detectado que el endpoint /DsaDataTest es susceptible de sufrir un ataque de tipo cross-site scripting (XSS). Se ha detectado que el par\u00e1metro Metric no presenta ninguna comprobaci\u00f3n de entrada en la entrada del usuario que permite a un atacante elaborar su propia carga \u00fatil maliciosa para desencadenar una vulnerabilidad de tipo XSS"}], "id": "CVE-2021-42856", "lastModified": "2022-03-15T16:41:20.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2022-03-10T17:44:07.997", "references": [{"source": "cve_disclosure@tech.gov.sg", "tags": ["Third Party Advisory"], "url": "https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}