{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/adm_usrs.jsp. The usr parameter is vulnerable: the reflected cross-site scripting occurs immediately after the user is created. The malicious script is stored and will be executed whenever /WiKIDAdmin/adm_usrs.jsp is visited."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-19T17:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting"}, {"name": "20191018 WiKID 2FA Enterprise Server Multiple Issues", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Oct/35"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-4.2.0-b2032-SQL-Injection-XSS-CSRF.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17120", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/adm_usrs.jsp. The usr parameter is vulnerable: the reflected cross-site scripting occurs immediately after the user is created. The malicious script is stored and will be executed whenever /WiKIDAdmin/adm_usrs.jsp is visited."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting", "refsource": "MISC", "url": "https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting"}, {"name": "20191018 WiKID 2FA Enterprise Server Multiple Issues", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Oct/35"}, {"name": "http://packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-4.2.0-b2032-SQL-Injection-XSS-CSRF.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-4.2.0-b2032-SQL-Injection-XSS-CSRF.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:33:16.560Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting"}, {"name": "20191018 WiKID 2FA Enterprise Server Multiple Issues", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Oct/35"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-4.2.0-b2032-SQL-Injection-XSS-CSRF.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17120", "datePublished": "2019-10-17T18:10:16", "dateReserved": "2019-10-04T00:00:00", "dateUpdated": "2024-08-05T01:33:16.560Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.81:b676:*:*:*:*:*:*", "matchCriteriaId": "4753C348-0E95-42C1-9046-A6F0A925BFA0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.85:b780:*:*:*:*:*:*", "matchCriteriaId": "742AF05F-BDFC-4B5D-B7C2-16EBB12423EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.87:b1092:*:*:*:*:*:*", "matchCriteriaId": "0A8A4B86-C166-41BF-91F8-3A0E5935DFE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.87:b1159:*:*:*:*:*:*", "matchCriteriaId": "5F0AD527-F28E-4D31-B3E4-164E50C7AE57", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.87:b1169:*:*:*:*:*:*", "matchCriteriaId": "3700CDE8-3E6F-45BB-ABAF-F39F47421114", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.87:b1216:*:*:*:*:*:*", "matchCriteriaId": "9895837A-1172-4033-A431-77F959E742AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.87:b824:*:*:*:*:*:*", "matchCriteriaId": "EF2A28EA-E801-4E48-9C7C-7F2338D601B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.4.87:b839:*:*:*:*:*:*", "matchCriteriaId": "B6061A10-388F-43F1-A60B-E05BFB8D9ADB", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1342:*:*:*:*:*:*", "matchCriteriaId": "1639C27B-E99D-4E4C-8359-BF1DAA540077", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1352:*:*:*:*:*:*", "matchCriteriaId": "D35F177D-13EB-4BF8-85D6-96D311A1F393", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1359:*:*:*:*:*:*", "matchCriteriaId": "80491F52-2BB1-4CA6-B029-773D7648D618", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1373:*:*:*:*:*:*", "matchCriteriaId": "A640A1D2-F902-48CD-A5CF-431254B9A4B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1403:*:*:*:*:*:*", "matchCriteriaId": "3E9584C7-368F-40CB-9424-3C7D3206A9EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1411:*:*:*:*:*:*", "matchCriteriaId": "203D7585-27A1-4F82-89ED-2B7B266C18D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1421:*:*:*:*:*:*", "matchCriteriaId": "5F9CAFF9-F38C-4598-BE10-C9B4BDCEFB20", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1428:*:*:*:*:*:*", "matchCriteriaId": "BC4359FB-27A1-445D-9C6D-F179E67A59E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1438:*:*:*:*:*:*", "matchCriteriaId": "DC403DA6-072D-4DC2-9EB0-2CE79BF581AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1472:*:*:*:*:*:*", "matchCriteriaId": "38944F12-D0AD-460D-8057-9DE11B0FD511", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1542:*:*:*:*:*:*", "matchCriteriaId": "FB04F7A6-77BD-4810-83E4-6F82EA0EFB62", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.5.0:b1580:*:*:*:*:*:*", "matchCriteriaId": "C4F8E828-9BCE-4E5D-95F2-A3636D6158F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.6.0:b1659:*:*:*:*:*:*", "matchCriteriaId": "5674FE03-7B90-4F49-B7F9-A8ADBF25FC00", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:3.6.0:b1672:*:*:*:*:*:*", "matchCriteriaId": "284197BB-7B78-425B-8410-5C3717749B5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0:b1787:*:*:*:*:*:*", "matchCriteriaId": "7A74FCAD-E081-4FF1-B49D-A542197A25FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0:b1798:*:*:*:*:*:*", "matchCriteriaId": "CE459BA2-3B76-4A4E-BEAD-10B21EB6D5F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0:b1803:*:*:*:*:*:*", "matchCriteriaId": "7E6CF12D-F364-42EC-94F4-D168B9B7AE34", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0.1:b1817:*:*:*:*:*:*", "matchCriteriaId": "51FBB683-6236-4AF4-8BC9-45E445B05065", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0.1:b1821:*:*:*:*:*:*", "matchCriteriaId": "CA967277-B0F1-4D91-9FE5-5DC6718E8B5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0.1:b1905:*:*:*:*:*:*", "matchCriteriaId": "68E22857-BEA7-4C36-B044-3B1CF70CDB37", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0.1:b1906:*:*:*:*:*:*", "matchCriteriaId": "5EE7F837-AB7C-4743-8380-A479ADC8B9E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0.2:b1917:*:*:*:*:*:*", "matchCriteriaId": "7C873DAC-3CDE-439B-B337-94C5C1589DF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.0.2:b1921:*:*:*:*:*:*", "matchCriteriaId": "21E0DC7C-D1E6-4836-A367-0E00AA82F208", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.1.0:b1926:*:*:*:*:*:*", "matchCriteriaId": "74586937-9BF8-4D5A-AD5F-131DE95CB4CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.1.0:b1941:*:*:*:*:*:*", "matchCriteriaId": "F519574C-6A12-4469-8A66-91CEA680CD70", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.1.0:b1949:*:*:*:*:*:*", "matchCriteriaId": "DE822EC3-D06E-42A6-A6B6-28B1F1A73831", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.1.0:b1955:*:*:*:*:*:*", "matchCriteriaId": "23B9CEEC-EE7F-489E-B764-331263183CE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b1978:*:*:*:*:*:*", "matchCriteriaId": "C77D0966-21EA-4DB3-8AE7-83F745FB7820", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b1981:*:*:*:*:*:*", "matchCriteriaId": "3D3B0A02-93F4-492D-810A-720448C624BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b1984:*:*:*:*:*:*", "matchCriteriaId": "70ACC996-D417-48C9-9376-40AECBC0273C", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2007:*:*:*:*:*:*", "matchCriteriaId": "CDA6CDF4-46F8-43F6-8843-61A05ADDD505", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2014:*:*:*:*:*:*", "matchCriteriaId": "D53E57B3-DFFB-448C-9610-463978C9E489", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2016:*:*:*:*:*:*", "matchCriteriaId": "2E37F883-B939-4F6F-B20F-3ABB43BDBD1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2020:*:*:*:*:*:*", "matchCriteriaId": "20533E08-D4C3-42E5-8DE9-94F30710829A", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2023:*:*:*:*:*:*", "matchCriteriaId": "A13F872F-C8F2-49D4-9A05-49AA8DE3994E", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2028:*:*:*:*:*:*", "matchCriteriaId": "F03ADD91-7621-4314-A1DF-380CC51EBE0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2032:*:*:*:*:*:*", "matchCriteriaId": "5D164551-F37A-4F3E-9868-C5CC2578144E", "vulnerable": true}, {"criteria": "cpe:2.3:a:wikidsystems:2fa_enterprise_server:4.2.0:b2047:*:*:*:*:*:*", "matchCriteriaId": "807A8ECD-CC2A-4141-B060-0C6FA65040F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/adm_usrs.jsp. The usr parameter is vulnerable: the reflected cross-site scripting occurs immediately after the user is created. The malicious script is stored and will be executed whenever /WiKIDAdmin/adm_usrs.jsp is visited."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado y reflejado en WiKID 2FA Enterprise Server versiones hasta 4.2.0-b2047, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del archivo /WiKIDAdmin/adm_usrs.jsp. El par\u00e1metro usr es vulnerable: a que ocurra un ataque de tipo cross-site scripting reflejado inmediatamente despu\u00e9s de que el usuario es creado. El script malicioso es almacenado y ser\u00e1 ejecutado siempre que sea visitado el archivo /WiKIDAdmin/adm_usrs.jsp."}], "id": "CVE-2019-17120", "lastModified": "2019-10-31T19:03:56.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-17T19:15:10.937", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-4.2.0-b2032-SQL-Injection-XSS-CSRF.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Oct/35"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}