CVE-2021-44163 - OpenCVE

Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Chinasea	Qb Smart Service Robot

Configuration 1 [-]

cpe:2.3:a:chinasea:qb_smart_service_robot:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-5399-03b81-1.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2021-12-17T00:00:00

Updated: 2021-12-20T03:10:22

Reserved: 2021-11-23T00:00:00

Link: CVE-2021-44163

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-20T03:15:06.770

Modified: 2021-12-27T17:02:17.867

Link: CVE-2021-44163

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "ai chatbot system", "vendor": "Chain Sea Information Integration Co., Ltd", "versions": [{"status": "unknown", "version": "0"}]}], "datePublic": "2021-12-17T00:00:00", "descriptions": [{"lang": "en", "value": "Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-20T03:10:22", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-5399-03b81-1.html"}], "solutions": [{"lang": "en", "value": "Contact tech support from Chain Sea Information Integration Co., Ltd"}], "source": {"advisory": "TVN-202112005", "discovery": "EXTERNAL"}, "title": "Chain Sea Information Integration Co., Ltd ai chatbot system - Reflected XSS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-12-17T08:27:00.000Z", "ID": "CVE-2021-44163", "STATE": "PUBLIC", "TITLE": "Chain Sea Information Integration Co., Ltd ai chatbot system - Reflected XSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ai chatbot system", "version": {"version_data": [{"version_affected": "?", "version_value": "0"}]}}]}, "vendor_name": "Chain Sea Information Integration Co., Ltd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-5399-03b81-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-5399-03b81-1.html"}]}, "solution": [{"lang": "en", "value": "Contact tech support from Chain Sea Information Integration Co., Ltd"}], "source": {"advisory": "TVN-202112005", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-44163", "datePublished": "2021-12-17T00:00:00", "dateReserved": "2021-11-23T00:00:00", "dateUpdated": "2021-12-20T03:10:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chinasea:qb_smart_service_robot:-:*:*:*:*:*:*:*", "matchCriteriaId": "50A93B76-712F-4EF7-8E4B-22601324FE89", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication."}, {"lang": "es", "value": "El backend del chatbot Chain Sea ai, presenta un filtrado inapropiado de caracteres especiales en los par\u00e1metros de la URL, que permite a un atacante remoto llevar a cabo una inyecci\u00f3n de JavaScript para un ataque de tipo XSS (Cross-site scripting reflejado) sin autenticaci\u00f3n"}], "id": "CVE-2021-44163", "lastModified": "2021-12-27T17:02:17.867", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2021-12-20T03:15:06.770", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-5399-03b81-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}