CVE-2018-18668 - OpenCVE

GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "homepage title" parameter, aka the adm/config_form_update.php cf_title parameter.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sir	Gnuboard

Configuration 1 [-]

cpe:2.3:a:sir:gnuboard:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/gnuboard/gnuboard5/commit/a45241f4bc46aee1ab2cc0749f6444b043681edf#diff-53f7f220c2d2861a98444adf09471496
https://github.com/gnuboard/gnuboard5/compare/15b2e73...2549172
https://github.com/gnuboard/gnuboard5/releases/tag/5.3.2.0

History

Thu, 19 Sep 2024 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sir Sir gnuboard
CPEs	cpe:2.3:a:gnuboard:gnuboard5::::::::	cpe:2.3:a:sir:gnuboard::::::::
Vendors & Products	Gnuboard Gnuboard gnuboard5	Sir Sir gnuboard

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-26T20:04:54

Updated: 2024-08-05T11:16:00.160Z

Reserved: 2018-10-26T00:00:00

Link: CVE-2018-18668

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-08-26T21:15:10.757

Modified: 2024-09-19T11:42:43.340

Link: CVE-2018-18668

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-11-21T00:00:00", "descriptions": [{"lang": "en", "value": "GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the \"homepage title\" parameter, aka the adm/config_form_update.php cf_title parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-26T20:04:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/gnuboard/gnuboard5/compare/15b2e73...2549172"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/gnuboard/gnuboard5/commit/a45241f4bc46aee1ab2cc0749f6444b043681edf#diff-53f7f220c2d2861a98444adf09471496"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gnuboard/gnuboard5/releases/tag/5.3.2.0"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18668", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the \"homepage title\" parameter, aka the adm/config_form_update.php cf_title parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/gnuboard/gnuboard5/compare/15b2e73...2549172", "refsource": "MISC", "url": "https://github.com/gnuboard/gnuboard5/compare/15b2e73...2549172"}, {"name": "https://github.com/gnuboard/gnuboard5/commit/a45241f4bc46aee1ab2cc0749f6444b043681edf#diff-53f7f220c2d2861a98444adf09471496", "refsource": "MISC", "url": "https://github.com/gnuboard/gnuboard5/commit/a45241f4bc46aee1ab2cc0749f6444b043681edf#diff-53f7f220c2d2861a98444adf09471496"}, {"name": "https://github.com/gnuboard/gnuboard5/releases/tag/5.3.2.0", "refsource": "CONFIRM", "url": "https://github.com/gnuboard/gnuboard5/releases/tag/5.3.2.0"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:16:00.160Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gnuboard/gnuboard5/compare/15b2e73...2549172"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gnuboard/gnuboard5/commit/a45241f4bc46aee1ab2cc0749f6444b043681edf#diff-53f7f220c2d2861a98444adf09471496"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/gnuboard/gnuboard5/releases/tag/5.3.2.0"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18668", "datePublished": "2019-08-26T20:04:54", "dateReserved": "2018-10-26T00:00:00", "dateUpdated": "2024-08-05T11:16:00.160Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sir:gnuboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF09571B-B906-41A9-BB81-EBC68AD87F66", "versionEndExcluding": "5.3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to inject arbitrary web script or HTML via the \"homepage title\" parameter, aka the adm/config_form_update.php cf_title parameter."}, {"lang": "es", "value": "GNUBOARD5 versiones anteriores a la 5.3.2.0 tiene XSS que permite a los atacantes remotos inyectar script web arbitrario o HTML a trav\u00e9s del par\u00e1metro \"t\u00edtulo de la p\u00e1gina de inicio\", tambi\u00e9n conocido como el par\u00e1metro adm / config_form_update.php cf_title."}], "id": "CVE-2018-18668", "lastModified": "2024-09-19T11:42:43.340", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-26T21:15:10.757", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/gnuboard/gnuboard5/commit/a45241f4bc46aee1ab2cc0749f6444b043681edf#diff-53f7f220c2d2861a98444adf09471496"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/gnuboard/gnuboard5/compare/15b2e73...2549172"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/gnuboard/gnuboard5/releases/tag/5.3.2.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}