CVE-2018-1254 - OpenCVE

RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emc	Rsa Authentication Manager

Configuration 1 [-]

cpe:2.3:a:emc:rsa_authentication_manager:*:p1:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2018/Jun/39
http://www.securityfocus.com/bid/104534
http://www.securitytracker.com/id/1041134

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-06-21T15:00:00Z

Updated: 2024-09-17T02:11:11.898Z

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1254

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-06-21T15:29:00.317

Modified: 2020-03-27T14:07:47.423

Link: CVE-2018-1254

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "RSA Authentication Manager", "vendor": "RSA", "versions": [{"lessThanOrEqual": "8.3 P1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2018-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser."}], "problemTypes": [{"descriptions": [{"description": "Reflected cross-site scripting vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-26T09:57:02", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "104534", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104534"}, {"name": "1041134", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041134"}, {"name": "20180612 DSA-2018-107: RSA Authentication Manager Cross-site scripting Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2018/Jun/39"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-06-12T04:00:00.000Z", "ID": "CVE-2018-1254", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RSA Authentication Manager", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "8.3 P1"}]}}]}, "vendor_name": "RSA"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Reflected cross-site scripting vulnerability"}]}]}, "references": {"reference_data": [{"name": "104534", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104534"}, {"name": "1041134", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041134"}, {"name": "20180612 DSA-2018-107: RSA Authentication Manager Cross-site scripting Vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2018/Jun/39"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:49.104Z"}, "title": "CVE Program Container", "references": [{"name": "104534", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104534"}, {"name": "1041134", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1041134"}, {"name": "20180612 DSA-2018-107: RSA Authentication Manager Cross-site scripting Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2018/Jun/39"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1254", "datePublished": "2018-06-21T15:00:00Z", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-09-17T02:11:11.898Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emc:rsa_authentication_manager:*:p1:*:*:*:*:*:*", "matchCriteriaId": "B74A7A80-108D-4771-9E6E-D29F741E7633", "versionEndIncluding": "8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser."}, {"lang": "es", "value": "RSA Authentication Manager Security Console en versiones 8.3 P1 y anteriores contiene una vulnerabilidad Cross-Site Scripting (XSS) reflejado. Un atacante remoto no autenticado podr\u00eda explotar esta vulnerabilidad enga\u00f1ando a un administrador Security Console v\u00edctima para que proporcione c\u00f3digo HTML o JavaScript malicioso a una aplicaci\u00f3n web vulnerable, que se devuelve a la v\u00edctima y es ejecutado por el navegador web."}], "id": "CVE-2018-1254", "lastModified": "2020-03-27T14:07:47.423", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-21T15:29:00.317", "references": [{"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2018/Jun/39"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104534"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041134"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}