CVE-2019-1010247 - OpenCVE

ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openidc	Mod Auth Openidc

Configuration 1 [-]

cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b
https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2
https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-19T14:13:56

Updated: 2024-08-05T03:07:18.449Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010247

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-19T15:15:12.063

Modified: 2023-05-25T20:18:46.990

Link: CVE-2019-1010247

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "mod_auth_openidc", "vendor": "ZmartZone IAM", "versions": [{"status": "affected", "version": "2.3.10.1 and earlier [fixed: 2.3.10.2]"}]}], "descriptions": [{"lang": "en", "value": "ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2."}], "problemTypes": [{"descriptions": [{"description": "Cross Site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-29T23:06:11", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b"}, {"tags": ["x_refsource_MISC"], "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt"}, {"name": "[debian-lts-announce] 20190823 [SECURITY] [DLA 1894-1] libapache2-mod-auth-openidc security", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html"}, {"name": "[debian-lts-announce] 20200729 [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010247", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mod_auth_openidc", "version": {"version_data": [{"version_value": "2.3.10.1 and earlier [fixed: 2.3.10.2]"}]}}]}, "vendor_name": "ZmartZone IAM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2", "refsource": "MISC", "url": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2"}, {"name": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b", "refsource": "MISC", "url": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b"}, {"name": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt", "refsource": "MISC", "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt"}, {"name": "[debian-lts-announce] 20190823 [SECURITY] [DLA 1894-1] libapache2-mod-auth-openidc security", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html"}, {"name": "[debian-lts-announce] 20200729 [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.449Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt"}, {"name": "[debian-lts-announce] 20190823 [SECURITY] [DLA 1894-1] libapache2-mod-auth-openidc security", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html"}, {"name": "[debian-lts-announce] 20200729 [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010247", "datePublished": "2019-07-19T14:13:56", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.449Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EC27208-2C72-4228-BFD4-9BFCBA66A9A8", "versionEndExcluding": "2.3.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2."}, {"lang": "es", "value": "IAM mod_auth_openidc versi\u00f3n 2.3.10.1 y anteriores de ZmartZone, est\u00e1 afectado por: Vulnerabilidad de tipo Cross-Site Scripting (XSS). El impacto es: Redireccionar al usuario a una p\u00e1gina de phishing o interactuar con la aplicaci\u00f3n en nombre del usuario. El componente es: Archivo: src/mod_auth_openidc.c, L\u00ednea: 3109. La versi\u00f3n corregida es: 2.3.10.2."}], "id": "CVE-2019-1010247", "lastModified": "2023-05-25T20:18:46.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-19T15:15:12.063", "references": [{"source": "josh@bress.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b"}, {"source": "josh@bress.net", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2"}, {"source": "josh@bress.net", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html"}, {"source": "josh@bress.net", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"}, {"source": "josh@bress.net", "tags": ["Third Party Advisory"], "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}