CVE-2020-15788 - OpenCVE

A vulnerability has been identified in Polarion Subversion Webclient (All versions). The Polarion subversion web application does not filter user input in a way that prevents Cross-Site Scripting. If a user is enticed into passing specially crafted, malicious input to the web client (e.g. by clicking on a malicious URL with embedded JavaScript), then JavaScript code can be returned and may then be executed by the user’s client. Various actions could be triggered by running malicious JavaScript code.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Polarion Subversion Webclient

Configuration 1 [-]

cpe:2.3:a:siemens:polarion_subversion_webclient:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2020-09-09T18:11:42

Updated: 2024-08-04T13:22:30.762Z

Reserved: 2020-07-15T00:00:00

Link: CVE-2020-15788

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-09-09T19:15:20.163

Modified: 2020-09-14T20:38:54.287

Link: CVE-2020-15788

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Polarion Subversion Webclient", "vendor": "Siemens AG", "versions": [{"status": "affected", "version": "All versions"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Polarion Subversion Webclient (All versions). The Polarion subversion web application does not filter user input in a way that prevents Cross-Site Scripting. If a user is enticed into passing specially crafted, malicious input to the web client (e.g. by clicking on a malicious URL with embedded JavaScript), then JavaScript code can be returned and may then be executed by the user\u2019s client. Various actions could be triggered by running malicious JavaScript code."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-09T18:11:42", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2020-15788", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Polarion Subversion Webclient", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "Siemens AG"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in Polarion Subversion Webclient (All versions). The Polarion subversion web application does not filter user input in a way that prevents Cross-Site Scripting. If a user is enticed into passing specially crafted, malicious input to the web client (e.g. by clicking on a malicious URL with embedded JavaScript), then JavaScript code can be returned and may then be executed by the user\u2019s client. Various actions could be triggered by running malicious JavaScript code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:22:30.762Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2020-15788", "datePublished": "2020-09-09T18:11:42", "dateReserved": "2020-07-15T00:00:00", "dateUpdated": "2024-08-04T13:22:30.762Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:polarion_subversion_webclient:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8C6D584-AB51-40BA-9E4E-1F635297738D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Polarion Subversion Webclient (All versions). The Polarion subversion web application does not filter user input in a way that prevents Cross-Site Scripting. If a user is enticed into passing specially crafted, malicious input to the web client (e.g. by clicking on a malicious URL with embedded JavaScript), then JavaScript code can be returned and may then be executed by the user\u2019s client. Various actions could be triggered by running malicious JavaScript code."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Polarion Subversion Webclient (todas las versiones). La aplicaci\u00f3n web Polarion subversion no filtra la entrada del usuario de una manera que impide un Cross-Site Scripting. Si un usuario es tentado a pasar una entrada maliciosa especialmente dise\u00f1ada al cliente web (por ejemplo, al hacer clic en una URL maliciosa con JavaScript insertado), el c\u00f3digo JavaScript puede ser devuelto y luego ejecutado por el cliente del usuario. Varias acciones pueden ser activadas ejecutando c\u00f3digo JavaScript malicioso."}], "id": "CVE-2020-15788", "lastModified": "2020-09-14T20:38:54.287", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-09T19:15:20.163", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-80"}], "source": "productcert@siemens.com", "type": "Secondary"}]}