CVE-2019-13407 - OpenCVE

A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Androvideo	Vd 1 Vd 1 Firmware
Geovision	Gv-vd8700 Gv-vd8700 Firmware Gv-vr360 Gv-vr360 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:androvideo:vd_1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:androvideo:vd_1:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:geovision:gv-vr360_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:geovision:gv-vr360:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:geovision:gv-vd8700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:geovision:gv-vd8700:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://surl.twcert.org.tw/SpTwh
https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md
https://tvn.twcert.org.tw/taiwanvn/TVN-201906008

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2019-08-29T00:19:39.243018Z

Updated: 2024-09-16T22:16:10.244Z

Reserved: 2019-07-08T00:00:00

Link: CVE-2019-13407

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-08-29T01:15:11.710

Modified: 2019-10-09T23:46:27.500

Link: CVE-2019-13407

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Advan VD-1 firmware", "vendor": "AndroVideo", "versions": [{"status": "affected", "version": "up to 230"}]}], "credits": [{"lang": "en", "value": "Keniver Wang (CHT Security)"}], "datePublic": "2019-08-20T00:00:00", "descriptions": [{"lang": "en", "value": "A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-08-29T00:19:39", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906008"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://surl.twcert.org.tw/SpTwh"}], "source": {"discovery": "EXTERNAL"}, "title": "Advan VD-1 has a reflected XSS vulnerability in page cgibin/ssi.cgi", "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2019-08-20T16:00:00.000Z", "ID": "CVE-2019-13407", "STATE": "PUBLIC", "TITLE": "Advan VD-1 has a reflected XSS vulnerability in page cgibin/ssi.cgi"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Advan VD-1 firmware", "version": {"version_data": [{"version_value": "up to 230"}]}}]}, "vendor_name": "AndroVideo"}]}}, "credit": [{"lang": "eng", "value": "Keniver Wang (CHT Security)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly."}]}, "generator": {"engine": "Vulnogram 0.0.7"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md", "refsource": "CONFIRM", "url": "https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md"}, {"name": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906008", "refsource": "CONFIRM", "url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906008"}, {"name": "http://surl.twcert.org.tw/SpTwh", "refsource": "CONFIRM", "url": "http://surl.twcert.org.tw/SpTwh"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:49:25.009Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906008"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://surl.twcert.org.tw/SpTwh"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2019-13407", "datePublished": "2019-08-29T00:19:39.243018Z", "dateReserved": "2019-07-08T00:00:00", "dateUpdated": "2024-09-16T22:16:10.244Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:androvideo:vd_1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DD30743-4857-42DE-853E-0AB67F1D2ADE", "versionEndIncluding": "230", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:androvideo:vd_1:-:*:*:*:*:*:*:*", "matchCriteriaId": "B1574006-94D7-4144-BE9D-FD28A920FF65", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:geovision:gv-vr360_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "743F5C10-A4FF-4966-A176-58C6CDD3D769", "versionEndIncluding": "1.10", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:geovision:gv-vr360:-:*:*:*:*:*:*:*", "matchCriteriaId": "D3E10A54-A224-4F1C-AC58-83A9C616A354", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:geovision:gv-vd8700_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "64A08F29-4477-49CF-A84F-32555A2A95A1", "versionEndIncluding": "1.01", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:geovision:gv-vd8700:-:*:*:*:*:*:*:*", "matchCriteriaId": "2CB7CE78-58AA-4C0A-B45F-52E08AB0F9E9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly."}, {"lang": "es", "value": "Un XSS encontrado en las versiones de firmware Advan VD-1 hasta 230. VD-1 responde a un mensaje de error de ruta de acceso cuando no se encontr\u00f3 un recurso solicitado en la p\u00e1gina cgibin/ssi.cgi. Conduce a un XSS reflejado porque el mensaje de error no se escapa correctamente."}], "id": "CVE-2019-13407", "lastModified": "2019-10-09T23:46:27.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-29T01:15:11.710", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "http://surl.twcert.org.tw/SpTwh"}, {"source": "twcert@cert.org.tw", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/keniver/f5155b42eb278ec0273b83565b64235b#file-androvideo-advan-vd-1-multiple-vulnerabilities-md"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201906008"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}