CVE-2019-10085 - OpenCVE

In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Allura

Configuration 1 [-]

cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/108816
https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07%40%3Cdev.allura.apache.org%3E
https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9%40%3Cannounce.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2019-06-18T23:07:22

Updated: 2024-08-04T22:10:09.434Z

Reserved: 2019-03-26T00:00:00

Link: CVE-2019-10085

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-06-19T00:15:12.313

Modified: 2023-11-07T03:02:22.630

Link: CVE-2019-10085

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Allura", "vendor": "n/a", "versions": [{"status": "affected", "version": "Apache Allura prior to 1.11.0"}]}], "descriptions": [{"lang": "en", "value": "In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page."}], "problemTypes": [{"descriptions": [{"description": "XSS Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-19T17:06:02", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07%40%3Cdev.allura.apache.org%3E"}, {"name": "108816", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108816"}, {"name": "[announce] 20190618 CVE-2019-10085 Apache Allura XSS vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9%40%3Cannounce.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-10085", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Allura", "version": {"version_data": [{"version_value": "Apache Allura prior to 1.11.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XSS Vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07@%3Cdev.allura.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07@%3Cdev.allura.apache.org%3E"}, {"name": "108816", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108816"}, {"name": "[announce] 20190618 CVE-2019-10085 Apache Allura XSS vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9@%3Cannounce.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:09.434Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07%40%3Cdev.allura.apache.org%3E"}, {"name": "108816", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108816"}, {"name": "[announce] 20190618 CVE-2019-10085 Apache Allura XSS vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9%40%3Cannounce.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-10085", "datePublished": "2019-06-18T23:07:22", "dateReserved": "2019-03-26T00:00:00", "dateUpdated": "2024-08-04T22:10:09.434Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*", "matchCriteriaId": "30802C26-70C1-47AC-AE61-3B668E2E0D02", "versionEndExcluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page."}, {"lang": "es", "value": "En Apache Allura en versiones anteriores a la 1.11.0, se presenta una vulnerabilidad de tipo XSS almacenado en el selector desplegable de usuario al crear o editar tickets. El XSS se ejecuta cuando un usuario interact\u00faa con dicho desplegable en esa p\u00e1gina."}], "id": "CVE-2019-10085", "lastModified": "2023-11-07T03:02:22.630", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-19T00:15:12.313", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/108816"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/88c064c95da2f41d5435ca5b3e364925bed72cc73bcec9b3f25e4c07%40%3Cdev.allura.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/9a20914c4251a2ae3caebd8d0dd0056f3ac89209d6c216bb89efabd9%40%3Cannounce.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}