CVE-2019-1010147 - OpenCVE

Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bmc	Remedy Smart Reporting
Yellowfinbi	Yellowfin Bi

Configuration 1 [-]

OR	cpe:2.3:a:bmc:remedy_smart_reporting:-:::::::*
	cpe:2.3:a:yellowfinbi:yellowfin_bi::::::::

No data.

References

Link	Providers
https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-25T23:02:40

Updated: 2024-08-05T03:07:18.348Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010147

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-26T00:15:11.073

Modified: 2019-08-05T13:26:44.980

Link: CVE-2019-1010147

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Smart Reporting", "vendor": "Yellowfin", "versions": [{"status": "affected", "version": "< 7.3 [fixed: 7.4 and later]"}]}], "descriptions": [{"lang": "en", "value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later."}], "problemTypes": [{"descriptions": [{"description": "Incorrect Access Control - Privileges Escalation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-25T23:02:40", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010147", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Smart Reporting", "version": {"version_data": [{"version_value": "< 7.3 [fixed: 7.4 and later]"}]}}]}, "vendor_name": "Yellowfin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Incorrect Access Control - Privileges Escalation"}]}]}, "references": {"reference_data": [{"name": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS", "refsource": "MISC", "url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.348Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010147", "datePublished": "2019-07-25T23:02:40", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.348Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bmc:remedy_smart_reporting:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3B099D6-62C3-4877-9B13-FF948200EC37", "vulnerable": true}, {"criteria": "cpe:2.3:a:yellowfinbi:yellowfin_bi:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B8D0086-5FCB-4035-BA80-9BFFBBD5CA40", "versionEndExcluding": "7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later."}, {"lang": "es", "value": "Yellowfin Smart Reporting Todas las Versiones Anteriores a 7.3 est\u00e1n afectadas por: Control de Acceso Incorrecto - Escalamiento de Privilegios. El impacto es: V\u00edctima atacada y acceso a la funcionalidad de administraci\u00f3n por medio de su navegador y el navegador de control. El componente es: archivo MIAdminStyles.i4. El vector de ataque es: Las v\u00edctimas normalmente son atra\u00eddas a un sitio web bajo el control del atacante; la vulnerabilidad de tipo XSS en el dominio apuntado se explota silenciosamente sin el conocimiento de la v\u00edctima. La versi\u00f3n corregida es: 7.4 y posteriores."}], "id": "CVE-2019-1010147", "lastModified": "2019-08-05T13:26:44.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-26T00:15:11.073", "references": [{"source": "josh@bress.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}