CVE-2021-31583 - OpenCVE

Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sipwise	Next Generation Communication Platform

Configuration 1 [-]

cpe:2.3:a:sipwise:next_generation_communication_platform:3.6.7:*:*:*:ce:*:*:*

No data.

References

Link	Providers
http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html
http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html
https://www.sipwise.com
https://www.zeroscience.mk/en/vulnerabilities
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-23T20:52:09

Updated: 2024-08-03T23:03:33.432Z

Reserved: 2021-04-22T00:00:00

Link: CVE-2021-31583

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-23T21:15:08.310

Modified: 2022-10-07T02:57:14.093

Link: CVE-2021-31583

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-07T12:55:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.zeroscience.mk/en/vulnerabilities"}, {"tags": ["x_refsource_MISC"], "url": "https://www.sipwise.com"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php"}, {"tags": ["x_refsource_MISC"], "url": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-31583", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.zeroscience.mk/en/vulnerabilities", "refsource": "MISC", "url": "https://www.zeroscience.mk/en/vulnerabilities"}, {"name": "https://www.sipwise.com", "refsource": "MISC", "url": "https://www.sipwise.com"}, {"name": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html"}, {"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php", "refsource": "MISC", "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php"}, {"name": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html", "refsource": "MISC", "url": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:03:33.432Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zeroscience.mk/en/vulnerabilities"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.sipwise.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31583", "datePublished": "2021-04-23T20:52:09", "dateReserved": "2021-04-22T00:00:00", "dateUpdated": "2024-08-03T23:03:33.432Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sipwise:next_generation_communication_platform:3.6.7:*:*:*:ce:*:*:*", "matchCriteriaId": "CFDCF4D3-D704-4DD8-BB42-C7C00492551D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang)."}, {"lang": "es", "value": "Sipwise C5 NGCP WWW Admin versi\u00f3n 3.6.7 hasta la versi\u00f3n de plataforma NGCP CE 3.0 inclusive tiene m\u00faltiples vulnerabilidades XSS almacenadas y reflejadas autenticadas cuando la entrada pasada a trav\u00e9s de varios par\u00e1metros a varias secuencias de comandos no se sanea adecuadamente antes de ser devuelta al usuario: XSS almacenado en callforward/time/set/save (POST tsetname); XSS reflejado en addressbook (GET filter); XSS almacenado en addressbook/save (POST firstname, lastname, company); y XSS reflejado en statistics/versions (GET lang)"}], "id": "CVE-2021-31583", "lastModified": "2022-10-07T02:57:14.093", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-23T21:15:08.310", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.sipwise.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}