CVE-2021-27658 - OpenCVE

exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Johnsoncontrols	Exacqvision Enterprise Manager

Configuration 1 [-]

cpe:2.3:a:johnsoncontrols:exacqvision_enterprise_manager:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02
https://us-cert.gov/ics/advisories
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2021-06-24T13:49:27.039894Z

Updated: 2024-09-17T02:06:10.903Z

Reserved: 2021-02-24T00:00:00

Link: CVE-2021-27658

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-24T14:15:09.610

Modified: 2021-09-20T18:48:09.957

Link: CVE-2021-27658

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "exacqVision Enterprise Manager", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "20.12", "status": "affected", "version": "All versions up to and including 20.12", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Milan Kyselica, Roman Stevanak"}], "datePublic": "2021-06-24T00:00:00", "descriptions": [{"lang": "en", "value": "exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-30T15:23:17", "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}], "solutions": [{"lang": "en", "value": "Upgrade all previous versions of exacqVision Enterprise Manager to the latest version of 21.03.\n\nCurrent users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php."}], "source": {"discovery": "EXTERNAL"}, "title": "exacqVision Enterprise Manager CSS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productsecurity@jci.com", "DATE_PUBLIC": "2021-06-24T06:00:00.000Z", "ID": "CVE-2021-27658", "STATE": "PUBLIC", "TITLE": "exacqVision Enterprise Manager CSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "exacqVision Enterprise Manager", "version": {"version_data": [{"version_affected": "<=", "version_name": "All versions up to and including 20.12", "version_value": "20.12"}]}}]}, "vendor_name": "Johnson Controls"}]}}, "credit": [{"lang": "eng", "value": "Milan Kyselica, Roman Stevanak"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "refsource": "CONFIRM", "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}]}, "solution": [{"lang": "en", "value": "Upgrade all previous versions of exacqVision Enterprise Manager to the latest version of 21.03.\n\nCurrent users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:26:10.586Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}]}]}, "cveMetadata": {"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "cveId": "CVE-2021-27658", "datePublished": "2021-06-24T13:49:27.039894Z", "dateReserved": "2021-02-24T00:00:00", "dateUpdated": "2024-09-17T02:06:10.903Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:exacqvision_enterprise_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "693114E8-5DE8-4E8A-A9F2-79B382506022", "versionEndIncluding": "20.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}, {"lang": "es", "value": "exacqVision Enterprise Manager versi\u00f3n 20.12 no combrueba, filtra, escapa y/o codifica suficientemente las entradas controlables por el usuario antes de colocarlas en la salida que se utiliza como p\u00e1gina web que es servida a otros usuarios"}], "id": "CVE-2021-27658", "lastModified": "2021-09-20T18:48:09.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2021-06-24T14:15:09.610", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}, {"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.gov/ics/advisories"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}