CVE-2021-27658 - Vulnerability Details - OpenCVE

exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00225.

Key SSVC decision points have not yet been added.

Vendors	Products
Johnsoncontrols	Exacqvision Enterprise Manager

Configuration 1 [-]

cpe:2.3:a:johnsoncontrols:exacqvision_enterprise_manager:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-14404	exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.

Fixes

Solution

Upgrade all previous versions of exacqVision Enterprise Manager to the latest version of 21.03. Current users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02
https://us-cert.gov/ics/advisories
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2021-06-24T13:49:27.039894Z

Updated: 2024-09-17T02:06:10.903Z

Reserved: 2021-02-24T00:00:00

Link: CVE-2021-27658

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-06-24T14:15:09.610

Modified: 2024-11-21T05:58:23.457

Link: CVE-2021-27658

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "exacqVision Enterprise Manager", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "20.12", "status": "affected", "version": "All versions up to and including 20.12", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Milan Kyselica, Roman Stevanak"}], "datePublic": "2021-06-24T00:00:00", "descriptions": [{"lang": "en", "value": "exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-30T15:23:17", "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}], "solutions": [{"lang": "en", "value": "Upgrade all previous versions of exacqVision Enterprise Manager to the latest version of 21.03.\n\nCurrent users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php."}], "source": {"discovery": "EXTERNAL"}, "title": "exacqVision Enterprise Manager CSS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productsecurity@jci.com", "DATE_PUBLIC": "2021-06-24T06:00:00.000Z", "ID": "CVE-2021-27658", "STATE": "PUBLIC", "TITLE": "exacqVision Enterprise Manager CSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "exacqVision Enterprise Manager", "version": {"version_data": [{"version_affected": "<=", "version_name": "All versions up to and including 20.12", "version_value": "20.12"}]}}]}, "vendor_name": "Johnson Controls"}]}}, "credit": [{"lang": "eng", "value": "Milan Kyselica, Roman Stevanak"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "refsource": "CONFIRM", "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}]}, "solution": [{"lang": "en", "value": "Upgrade all previous versions of exacqVision Enterprise Manager to the latest version of 21.03.\n\nCurrent users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:26:10.586Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "https://us-cert.gov/ics/advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}]}]}, "cveMetadata": {"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "cveId": "CVE-2021-27658", "datePublished": "2021-06-24T13:49:27.039894Z", "dateReserved": "2021-02-24T00:00:00", "dateUpdated": "2024-09-17T02:06:10.903Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:exacqvision_enterprise_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "693114E8-5DE8-4E8A-A9F2-79B382506022", "versionEndIncluding": "20.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users."}, {"lang": "es", "value": "exacqVision Enterprise Manager versi\u00f3n 20.12 no combrueba, filtra, escapa y/o codifica suficientemente las entradas controlables por el usuario antes de colocarlas en la salida que se utiliza como p\u00e1gina web que es servida a otros usuarios"}], "id": "CVE-2021-27658", "lastModified": "2024-11-21T05:58:23.457", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "productsecurity@jci.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-24T14:15:09.610", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}, {"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.gov/ics/advisories"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.gov/ics/advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "productsecurity@jci.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}