CVE-2017-14922 - OpenCVE

Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tine20	Tine 2.0

Configuration 1 [-]

cpe:2.3:a:tine20:tine_2.0:*:*:*:*:community:*:*:*

No data.

References

Link	Providers
http://openwall.com/lists/oss-security/2017/09/28/11
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-09-29T07:00:00

Updated: 2024-08-05T19:42:22.235Z

Reserved: 2017-09-29T00:00:00

Link: CVE-2017-14922

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-09-30T01:29:01.960

Modified: 2017-10-05T18:43:39.277

Link: CVE-2017-14922

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-09-29T00:00:00", "descriptions": [{"lang": "en", "value": "Stored XSS vulnerability via IMG element at \"History\" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-29T06:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786"}, {"tags": ["x_refsource_MISC"], "url": "http://openwall.com/lists/oss-security/2017/09/28/11"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-14922", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Stored XSS vulnerability via IMG element at \"History\" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases", "refsource": "MISC", "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases"}, {"name": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b", "refsource": "MISC", "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b"}, {"name": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b", "refsource": "MISC", "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b"}, {"name": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786", "refsource": "MISC", "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786"}, {"name": "http://openwall.com/lists/oss-security/2017/09/28/11", "refsource": "MISC", "url": "http://openwall.com/lists/oss-security/2017/09/28/11"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:42:22.235Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2017/09/28/11"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-14922", "datePublished": "2017-09-29T07:00:00", "dateReserved": "2017-09-29T00:00:00", "dateUpdated": "2024-08-05T19:42:22.235Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tine20:tine_2.0:*:*:*:*:community:*:*:*", "matchCriteriaId": "B37AEE90-38C9-404F-8120-555D5DAD5AC1", "versionEndIncluding": "2017.08.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stored XSS vulnerability via IMG element at \"History\" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) persistente mediante un elemento IMG en \"History\" de of Profile, Calendar, Tasks y CRM en Time Community Edition en versiones anteriores a la 2017.08.4 permite que un usuario autenticado inyecte c\u00f3digo JavaScript, el cual no se gestiona correctamente durante el renderizado por parte del administrador de la aplicaci\u00f3n u otros usuarios."}], "id": "CVE-2017-14922", "lastModified": "2017-10-05T18:43:39.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-30T01:29:01.960", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://openwall.com/lists/oss-security/2017/09/28/11"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Release Notes", "Patch", "Third Party Advisory"], "url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}