CVE-2018-13809 - OpenCVE

A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated web server of the affected CP devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into following a malicious link. User interaction is required for a successful exploitation. At the time of advisory publication no public exploitation of this vulnerability was known.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Cp 1604 Cp 1604 Firmware Cp 1616 Cp 1616 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:siemens:cp_1604_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:cp_1604:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:siemens:cp_1616_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:cp_1616:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2019-04-17T13:38:34

Updated: 2024-08-05T09:14:47.175Z

Reserved: 2018-07-10T00:00:00

Link: CVE-2018-13809

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-17T14:29:02.840

Modified: 2019-07-11T22:15:10.717

Link: CVE-2018-13809

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CP 1604", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions"}]}, {"product": "CP 1616", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated web server of the affected CP devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into following a malicious link. User interaction is required for a successful exploitation. At the time of advisory publication no public exploitation of this vulnerability was known."}], "problemTypes": [{"descriptions": [{"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-11T21:17:46", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2018-13809", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CP 1604", "version": {"version_data": [{"version_value": "All versions"}]}}, {"product_name": "CP 1616", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "Siemens"}]}}, "cve_id": "CVE-2018-13809", "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated web server of the affected CP devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into following a malicious link. User interaction is required for a successful exploitation. At the time of advisory publication no public exploitation of this vulnerability was known."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:14:47.175Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2018-13809", "datePublished": "2019-04-17T13:38:34", "dateReserved": "2018-07-10T00:00:00", "dateUpdated": "2024-08-05T09:14:47.175Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:cp_1604_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DC92E3A-CA37-4D08-A0EB-71DBB4C5395A", "versionEndIncluding": "2.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:cp_1604:-:*:*:*:*:*:*:*", "matchCriteriaId": "6148BD0D-5BD1-4182-8202-EBDB56B0D146", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:cp_1616_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D5FEC73-E96E-4945-8C0B-4A7B5B236ABD", "versionEndIncluding": "2.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:cp_1616:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D7CC79A-1446-415F-8BFF-71C82C9256BB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated web server of the affected CP devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into following a malicious link. User interaction is required for a successful exploitation. At the time of advisory publication no public exploitation of this vulnerability was known."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en CP 1604 (todas las versiones), CP 1616 (todas las versiones). El servidor web integrado de los dispositivos CP afectados podr\u00eda permitir ataques tipo Cross-Site Scripting (XSS) si se enga\u00f1a a los usuarios desprevenidos para que sigan un enlace malicioso. La interacci\u00f3n del usuario es necesaria para una explotaci\u00f3n con \u00e9xito. En el momento de la publicaci\u00f3n consultiva, no se conoc\u00eda la explotaci\u00f3n p\u00fablica de esta vulnerabilidad."}], "id": "CVE-2018-13809", "lastModified": "2019-07-11T22:15:10.717", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-17T14:29:02.840", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}