{"containers": {"cna": {"affected": [{"product": "Eclipse BIRT", "vendor": "The Eclipse Foundation", "versions": [{"status": "affected", "version": "1.0 to 4.7"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-08-09T18:41:16", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546816"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@eclipse.org", "ID": "CVE-2019-11776", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Eclipse BIRT", "version": {"version_data": [{"version_value": "1.0 to 4.7"}]}}]}, "vendor_name": "The Eclipse Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation"}]}]}, "references": {"reference_data": [{"name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546816", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546816"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:03:32.740Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546816"}]}]}, "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2019-11776", "datePublished": "2019-08-09T18:41:16", "dateReserved": "2019-05-06T00:00:00", "dateUpdated": "2024-08-04T23:03:32.740Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:business_intelligence_and_reporting_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CFCA522-FCA5-4EA0-8357-7E89E514C4B6", "versionEndIncluding": "4.7.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context."}, {"lang": "es", "value": "En BIRT de Eclipse versiones 1.0 hasta 4.7, el Visor de Reportes permite un ataque de tipo XSS reflejado en el par\u00e1metro URL. El atacante puede ejecutar la carga \u00fatil en el contexto del navegador de la v\u00edctima."}], "id": "CVE-2019-11776", "lastModified": "2024-11-21T04:21:46.273", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-09T19:15:11.063", "references": [{"source": "emo@eclipse.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546816"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546816"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "eclipse-birt: report viewer allows reflected XSS in __format url parameter", "id": "1743100", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743100"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context.", "A reflected cross-site scripting (XSS) vulnerability was found in the Eclipse BIRT Report Viewer. Specifically, the __format parameter is not sufficiently sanitized, allowing JavaScript to be inserted in the URL. A remote attacker can exploit this flaw to execute JavaScript code within the context of the affected user."], "name": "CVE-2019-11776", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "eclipse-birt", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2019-04-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11776\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11776"], "statement": "This flaw did not affect the versions of eclipse-birt as shipped with Red Hat Enterprise Linux 6, as they did not include the BIRT Viewer component.", "threat_severity": "Moderate"}