CVE-2019-16414 - OpenCVE

A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gfi	Kerio Control

Configuration 1 [-]

cpe:2.3:a:gfi:kerio_control:9.3.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2019/Sep/35
https://twitter.com/haxel0rd/status/1174279811751174144
https://www.youtube.com/watch?v=ZqqR89vzZ_I

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-30T12:10:20

Updated: 2024-08-05T01:17:40.917Z

Reserved: 2019-09-18T00:00:00

Link: CVE-2019-16414

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-09-30T13:15:10.763

Modified: 2019-10-04T14:43:05.937

Link: CVE-2019-16414

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-01T22:06:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://twitter.com/haxel0rd/status/1174279811751174144"}, {"tags": ["x_refsource_MISC"], "url": "http://seclists.org/fulldisclosure/2019/Sep/35"}, {"tags": ["x_refsource_MISC"], "url": "https://www.youtube.com/watch?v=ZqqR89vzZ_I"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-16414", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://twitter.com/haxel0rd/status/1174279811751174144", "refsource": "MISC", "url": "https://twitter.com/haxel0rd/status/1174279811751174144"}, {"name": "http://seclists.org/fulldisclosure/2019/Sep/35", "refsource": "MISC", "url": "http://seclists.org/fulldisclosure/2019/Sep/35"}, {"name": "https://www.youtube.com/watch?v=ZqqR89vzZ_I", "refsource": "MISC", "url": "https://www.youtube.com/watch?v=ZqqR89vzZ_I"}, {"name": "http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:17:40.917Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/haxel0rd/status/1174279811751174144"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Sep/35"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.youtube.com/watch?v=ZqqR89vzZ_I"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-16414", "datePublished": "2019-09-30T12:10:20", "dateReserved": "2019-09-18T00:00:00", "dateUpdated": "2024-08-05T01:17:40.917Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gfi:kerio_control:9.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "0DAA7D40-BB74-4004-801B-E59600144BA2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI."}, {"lang": "es", "value": "Una vulnerabilidad de tipo XSS basado en DOM en GFI Kerio Control versi\u00f3n v9.3.0, permite insertar c\u00f3digo malicioso y manipular la p\u00e1gina de inicio de sesi\u00f3n para enviar de vuelta las credenciales de la v\u00edctima en texto sin cifrar para un atacante por medio de un inicio de un URI sesi\u00f3n/?reason=failure&NTLM=."}], "id": "CVE-2019-16414", "lastModified": "2019-10-04T14:43:05.937", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-30T13:15:10.763", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Sep/35"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://twitter.com/haxel0rd/status/1174279811751174144"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.youtube.com/watch?v=ZqqR89vzZ_I"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}