CVE-2017-13754 - OpenCVE

Cross-site scripting (XSS) vulnerability in the "advanced settings - time server" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the "server name" field in actions/ChangeConfiguration.html.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wibu	Codemeter

Configuration 1 [-]

cpe:2.3:a:wibu:codemeter:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2017/Sep/1
http://www.securityfocus.com/archive/1/541119/100/0/threaded
http://www.securityfocus.com/bid/104433
https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133
https://www.exploit-db.com/exploits/42610/
https://www.vulnerability-lab.com/get_content.php?id=2074

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-09-07T13:00:00

Updated: 2024-08-05T19:05:19.996Z

Reserved: 2017-08-29T00:00:00

Link: CVE-2017-13754

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-09-07T13:29:00.620

Modified: 2018-10-09T20:01:02.790

Link: CVE-2017-13754

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-09-04T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the \"advanced settings - time server\" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the \"server name\" field in actions/ChangeConfiguration.html."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.vulnerability-lab.com/get_content.php?id=2074"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133"}, {"name": "20170904 Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/541119/100/0/threaded"}, {"name": "20170904 Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2017/Sep/1"}, {"name": "104433", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104433"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02"}, {"name": "42610", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42610/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-13754", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the \"advanced settings - time server\" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the \"server name\" field in actions/ChangeConfiguration.html."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.vulnerability-lab.com/get_content.php?id=2074", "refsource": "MISC", "url": "https://www.vulnerability-lab.com/get_content.php?id=2074"}, {"name": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133", "refsource": "CONFIRM", "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133"}, {"name": "20170904 Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/541119/100/0/threaded"}, {"name": "20170904 Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2017/Sep/1"}, {"name": "104433", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104433"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02"}, {"name": "42610", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42610/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:05:19.996Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.vulnerability-lab.com/get_content.php?id=2074"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133"}, {"name": "20170904 Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/541119/100/0/threaded"}, {"name": "20170904 Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2017/Sep/1"}, {"name": "104433", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104433"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02"}, {"name": "42610", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/42610/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-13754", "datePublished": "2017-09-07T13:00:00", "dateReserved": "2017-08-29T00:00:00", "dateUpdated": "2024-08-05T19:05:19.996Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wibu:codemeter:*:*:*:*:*:*:*:*", "matchCriteriaId": "47F7DE4B-6E64-4D3C-AC9E-D13EDFC234AF", "versionEndIncluding": "6.50a", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the \"advanced settings - time server\" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the \"server name\" field in actions/ChangeConfiguration.html."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el m\u00f3dulo \"advanced settings - time server\" en Wibu-Systems CodeMeter en versiones anteriores a la 6.50b permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el campo \"server name\" en actions/ChangeConfiguration.html."}], "id": "CVE-2017-13754", "lastModified": "2018-10-09T20:01:02.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-07T13:29:00.620", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2017/Sep/1"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/541119/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/104433"}, {"source": "cve@mitre.org", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02"}, {"source": "cve@mitre.org", "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/42610/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vulnerability-lab.com/get_content.php?id=2074"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}