CVE-2019-3602 - OpenCVE

Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mcafee	Network Security Manager

Configuration 1 [-]

OR	cpe:2.3:a:mcafee:network_security_manager::::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:-::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_1::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_2::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_3::::::
	cpe:2.3:a:mcafee:network_security_manager:9.1:update_4::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/108400
https://kc.mcafee.com/corporate/index?page=content&id=SB10281

History

No history.

MITRE

Status: PUBLISHED

Assigner: trellix

Published: 2019-05-15T15:47:03

Updated: 2024-08-04T19:12:09.689Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3602

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-05-15T16:29:00.613

Modified: 2023-11-07T03:09:59.120

Link: CVE-2019-3602

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "McAfee Network Security Manager (NSM)", "vendor": "McAfee, LLC", "versions": [{"lessThan": "9.1 update 5 (9.1.7.77)", "status": "affected", "version": "9.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Cross Site Scripting (XSS) vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-21T14:06:08", "orgId": "01626437-bf8f-4d1c-912a-893b5eb04808", "shortName": "trellix"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281"}, {"name": "108400", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108400"}], "source": {"discovery": "EXTERNAL"}, "title": "Cross site scripting vulnerability in McAfee NSM impacting authenticated users", "x_generator": {"engine": "Vulnogram 0.0.6"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@mcafee.com", "ID": "CVE-2019-3602", "STATE": "PUBLIC", "TITLE": "Cross site scripting vulnerability in McAfee NSM impacting authenticated users"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "McAfee Network Security Manager (NSM)", "version": {"version_data": [{"version_affected": "<", "version_name": "9.1", "version_value": "9.1 update 5 (9.1.7.77)"}]}}]}, "vendor_name": "McAfee, LLC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML."}]}, "generator": {"engine": "Vulnogram 0.0.6"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Scripting (XSS) vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281"}, {"name": "108400", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108400"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:12:09.689Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281"}, {"name": "108400", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108400"}]}]}, "cveMetadata": {"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808", "assignerShortName": "trellix", "cveId": "CVE-2019-3602", "datePublished": "2019-05-15T15:47:03", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-08-04T19:12:09.689Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcafee:network_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "03CBDCA3-BCF0-41CE-84A7-321414F47808", "versionEndExcluding": "9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:-:*:*:*:*:*:*", "matchCriteriaId": "67838E30-EBD3-4D97-8395-45435C14ECE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_1:*:*:*:*:*:*", "matchCriteriaId": "A05388ED-A6AC-4D24-BA05-D5DC64F3BFA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_2:*:*:*:*:*:*", "matchCriteriaId": "5BEB32F8-601A-4663-8D92-B933AF8DD3C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_3:*:*:*:*:*:*", "matchCriteriaId": "BA150F4C-EDFD-4E53-BE45-B0D0BA73323F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:network_security_manager:9.1:update_4:*:*:*:*:*:*", "matchCriteriaId": "67E9A510-DBD6-493E-8C4A-0A9AA96351F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) Prior to 9.1 Update 5 allows an authenticated administrator to embed an XSS in the administrator interface via a specially crafted custom rule containing HTML."}, {"lang": "es", "value": "Vulnerabilidad de tipo Cross Site Scripting (XSS) en Network Security Manager (NSM) de McAfee anterior de la versi\u00f3n 9.1 actualizaci\u00f3n 5, permite a un administrador autenticado insertar un XSS en la interfaz del administrador por medio de una regla personalizada especialmente creada con contenido HTML."}], "id": "CVE-2019-3602", "lastModified": "2023-11-07T03:09:59.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "trellixpsirt@trellix.com", "type": "Secondary"}]}, "published": "2019-05-15T16:29:00.613", "references": [{"source": "trellixpsirt@trellix.com", "url": "http://www.securityfocus.com/bid/108400"}, {"source": "trellixpsirt@trellix.com", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10281"}], "sourceIdentifier": "trellixpsirt@trellix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}