CVE-2018-5411 - OpenCVE

Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pixar	Tractor

Configuration 1 [-]

cpe:2.3:a:pixar:tractor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/106209
https://www.kb.cert.org/vuls/id/756913/

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2018-12-13T22:00:00

Updated: 2024-08-05T05:33:44.412Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5411

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-12-13T22:29:00.423

Modified: 2019-10-09T23:41:19.280

Link: CVE-2018-5411

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Tractor", "vendor": "Pixar", "versions": [{"lessThanOrEqual": "2.2", "status": "affected", "version": "2.2", "versionType": "custom"}]}], "datePublic": "2018-12-13T00:00:00", "descriptions": [{"lang": "en", "value": "Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-12-15T10:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "106209", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106209"}, {"name": "VU#756913", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/756913/"}], "solutions": [{"lang": "en", "value": "Pixar has released an updated version of this software that mitigates this vulnerability, Tractor version 2.3 (build 1923604). Affected users should update to this version."}], "source": {"advisory": "VU#756913", "discovery": "UNKNOWN"}, "title": "Pixar's Tractor software, versions 2.2 and earlier, contains a stored cross-site scripting vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2018-5411", "STATE": "PUBLIC", "TITLE": "Pixar's Tractor software, versions 2.2 and earlier, contains a stored cross-site scripting vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Tractor", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_name": "2.2", "version_value": "2.2"}]}}]}, "vendor_name": "Pixar"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "106209", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106209"}, {"name": "VU#756913", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/756913/"}]}, "solution": [{"lang": "en", "value": "Pixar has released an updated version of this software that mitigates this vulnerability, Tractor version 2.3 (build 1923604). Affected users should update to this version."}], "source": {"advisory": "VU#756913", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:33:44.412Z"}, "title": "CVE Program Container", "references": [{"name": "106209", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106209"}, {"name": "VU#756913", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/756913/"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2018-5411", "datePublished": "2018-12-13T22:00:00", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2024-08-05T05:33:44.412Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pixar:tractor:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EB8D266-E03E-4590-8238-FB3A7516B097", "versionEndIncluding": "2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert Javascript into this note field that is then saved and displayed to the end user. An attacker might include Javascript that could execute on an authenticated user's system that could lead to website redirects, session cookie hijacking, social engineering, etc. As this is stored with the information about the node, all other authenticated users with access to this data are also vulnerable."}, {"lang": "es", "value": "El software Tractor, de Pixar, en versiones 2.2 y anteriores, contiene una vulnerabilidad Cross-Site Scripting (XSS) persistente en el campo que permite a un usuario a\u00f1adir una nota a un nodo existente. La informaci\u00f3n almacenada se muestra cuando un usuario solicita informaci\u00f3n sobre el nodo. Un atacante podr\u00eda insertar JavaScript en este campo note, que luego se guarda y se muestra al usuario. Un atacante podr\u00eda incluir JavaScript que podr\u00eda ejecutarse en el sistema de un usuario autenticado y conducir a redirecciones de sitios web, secuestro de cookies de sesi\u00f3n, ingenier\u00eda social, etc. Como esto se almacena con la informaci\u00f3n sobre el nodo, el resto de usuarios autenticados con acceso a estos datos tambi\u00e9n son vulnerables."}], "id": "CVE-2018-5411", "lastModified": "2019-10-09T23:41:19.280", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-13T22:29:00.423", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106209"}, {"source": "cret@cert.org", "tags": ["US Government Resource", "Third Party Advisory"], "url": "https://www.kb.cert.org/vuls/id/756913/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "cret@cert.org", "type": "Secondary"}]}