CVE-2023-31177 - OpenCVE

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system. See product Instruction Manual Appendix A dated 20230830 for more details.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Selinc	Sel-451 Sel-451 Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware:r326-v0:::::::*
	cpe:2.3:o:selinc:sel-451_firmware:r327-v0:::::::*

cpe:2.3:h:selinc:sel-451:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://selinc.com/support/security-notifications/external-reports/
https://www.nozominetworks.com/blog/

History

No history.

MITRE

Status: PUBLISHED

Assigner: SEL

Published: 2023-11-30T16:53:34.046Z

Updated: 2024-08-02T14:45:25.869Z

Reserved: 2023-04-24T23:20:01.610Z

Link: CVE-2023-31177

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-30T17:15:08.763

Modified: 2023-12-06T00:34:19.680

Link: CVE-2023-31177

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-31177", "assignerOrgId": "5804bb70-792c-43e0-8596-486cc0efe699", "state": "PUBLISHED", "assignerShortName": "SEL", "dateReserved": "2023-04-24T23:20:01.610Z", "datePublished": "2023-11-30T16:53:34.046Z", "dateUpdated": "2024-08-02T14:45:25.869Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SEL-451", "vendor": "Schweitzer Engineering Laboratories", "versions": [{"lessThan": "R315-V4", "status": "affected", "version": "R315-V0", "versionType": "custom"}, {"lessThan": "R316-V4", "status": "affected", "version": "R316-V0", "versionType": "custom"}, {"lessThan": "R317-V4", "status": "affected", "version": "R317-V0", "versionType": "custom"}, {"lessThan": "R318-V5", "status": "affected", "version": "R318-V0", "versionType": "custom"}, {"lessThan": "R320-V3", "status": "affected", "version": "R320-V0", "versionType": "custom"}, {"lessThan": "R321-V3", "status": "affected", "version": "R321-V0", "versionType": "custom"}, {"lessThan": "R322-V3", "status": "affected", "version": "R322-V0", "versionType": "custom"}, {"lessThan": "R323-V5", "status": "affected", "version": "R323-V0", "versionType": "custom"}, {"lessThan": "R324-V4", "status": "affected", "version": "R324-V0", "versionType": "custom"}, {"lessThan": "R325-V3", "status": "affected", "version": "R325-V0", "versionType": "custom"}, {"lessThan": "R326-V1", "status": "affected", "version": "R326-V0", "versionType": "custom"}, {"lessThan": "R327-V1", "status": "affected", "version": "R327-V0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Andrea Palanca and Gabriele Quagliarella of Nozomi Networks"}], "datePublic": "2023-11-30T09:56:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Improper Neutralization of Input During Web Page Generation  ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system.<br><br>\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.\n\n<br>"}], "value": "An Improper Neutralization of Input During Web Page Generation\u00a0 ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system.\n\n\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.\n\n\n"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}, {"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5804bb70-792c-43e0-8596-486cc0efe699", "shortName": "SEL", "dateUpdated": "2023-11-30T16:53:34.046Z"}, "references": [{"url": "https://selinc.com/support/security-notifications/external-reports/"}, {"url": "https://www.nozominetworks.com/blog/"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper neutralizataion of input could lead to execution of arbitrary code", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.869Z"}, "title": "CVE Program Container", "references": [{"url": "https://selinc.com/support/security-notifications/external-reports/", "tags": ["x_transferred"]}, {"url": "https://www.nozominetworks.com/blog/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "567CA071-8A2D-40DD-A3DF-0FD73739476F", "versionEndExcluding": "r315-v4", "versionStartIncluding": "r315-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE50B5EC-2A69-4EA9-A16D-5A0BF38D2861", "versionEndExcluding": "r316-v4", "versionStartIncluding": "r316-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9D6B6F3-8D35-46B5-879C-26F22ED4AA2D", "versionEndExcluding": "r317-v4", "versionStartIncluding": "r317-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DC6FE46-8B20-47D6-8A88-1708978C49D1", "versionEndExcluding": "r318-v5", "versionStartIncluding": "r318-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E3E5B0A-E01A-4A5B-894C-DF83E4E5B23F", "versionEndExcluding": "r320-v3", "versionStartIncluding": "r320-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7505AF51-82AF-4145-B794-CA0B5048DD7E", "versionEndExcluding": "r321-v3", "versionStartIncluding": "r321-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F092F10-4440-4FC4-8B0B-44B86F1742B8", "versionEndExcluding": "r322-v3", "versionStartIncluding": "r322-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B80DF635-298D-45B6-A5F7-71386587E6A8", "versionEndExcluding": "r323-v5", "versionStartIncluding": "r323-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E9473AE-F0E1-49A2-BD2E-CEAC21B5CF9C", "versionEndExcluding": "r324-v4", "versionStartIncluding": "r324-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "77E42746-C95B-476B-8734-0DE9FA1C611C", "versionEndExcluding": "r325-v3", "versionStartIncluding": "r325-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:r326-v0:*:*:*:*:*:*:*", "matchCriteriaId": "8EF1EF31-FFF7-4A3B-8A9F-2BD4CC355CD2", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:r327-v0:*:*:*:*:*:*:*", "matchCriteriaId": "B9C7EDD0-52E2-45E7-975C-B194F2902F5D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:selinc:sel-451:-:*:*:*:*:*:*:*", "matchCriteriaId": "9BBDB9B5-DAF0-4A78-88E3-1EB6486F8A13", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation\u00a0 ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system.\n\n\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.\n\n\n"}, {"lang": "es", "value": "Una neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\"Cross-site Scripting\") en Schweitzer Engineering Laboratories SEL-451 podr\u00eda permitir a un atacante crear un enlace que podr\u00eda ejecutar c\u00f3digo arbitrario en el sistema de una v\u00edctima. Consulte el Ap\u00e9ndice A del Manual de instrucciones del producto con fecha 20230830 para obtener m\u00e1s detalles."}], "id": "CVE-2023-31177", "lastModified": "2023-12-06T00:34:19.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "security@selinc.com", "type": "Secondary"}]}, "published": "2023-11-30T17:15:08.763", "references": [{"source": "security@selinc.com", "tags": ["Vendor Advisory"], "url": "https://selinc.com/support/security-notifications/external-reports/"}, {"source": "security@selinc.com", "tags": ["Third Party Advisory"], "url": "https://www.nozominetworks.com/blog/"}], "sourceIdentifier": "security@selinc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@selinc.com", "type": "Secondary"}]}