CVE-2020-27262 - OpenCVE

Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Innokasmedical	Vital Signs Monitor Vc150 Vital Signs Monitor Vc150 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:innokasmedical:vital_signs_monitor_vc150_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:innokasmedical:vital_signs_monitor_vc150:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-01-08T15:16:44

Updated: 2024-08-04T16:11:36.419Z

Reserved: 2020-10-19T00:00:00

Link: CVE-2020-27262

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-08T16:15:14.967

Modified: 2021-01-14T17:18:12.297

Link: CVE-2020-27262

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Innokas Yhtym\u00e4 Oy Vital Signs Monitor VC150", "vendor": "n/a", "versions": [{"status": "affected", "version": "VC150 prior to Version 1.7.15"}]}], "descriptions": [{"lang": "en", "value": "Innokas Yhtym\u00e4 Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-08T15:16:44", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-27262", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Innokas Yhtym\u00e4 Oy Vital Signs Monitor VC150", "version": {"version_data": [{"version_value": "VC150 prior to Version 1.7.15"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Innokas Yhtym\u00e4 Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.419Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-27262", "datePublished": "2021-01-08T15:16:44", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2024-08-04T16:11:36.419Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:innokasmedical:vital_signs_monitor_vc150_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B12A592-BEC0-40A4-9121-D546391D039E", "versionEndExcluding": "1.7.15", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:innokasmedical:vital_signs_monitor_vc150:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6319D79-50F3-4A2C-81DC-FF09E97656A9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Innokas Yhtym\u00e4 Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface."}, {"lang": "es", "value": "Innokas Yhtym\u00e4 Oy Vital Signs Monitor VC150 anterior a versi\u00f3n 1.7.15. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en los productos afectados que permiten a un atacante inyectar script web o HTML arbitrario por medio del par\u00e1metro filename en m\u00faltiples endpoints de actualizaci\u00f3n de la interfaz web administrativa"}], "id": "CVE-2020-27262", "lastModified": "2021-01-14T17:18:12.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-08T16:15:14.967", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}