CVE-2023-3937 - OpenCVE

Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Windows
Snowsoftware	Snow License Manager

Configuration 1 [-]

AND

cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:service_provider:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC

History

No history.

MITRE

Status: PUBLISHED

Assigner: Snow

Published: 2023-08-11T11:28:30.185Z

Updated: 2024-08-02T07:08:50.686Z

Reserved: 2023-07-25T13:29:16.203Z

Link: CVE-2023-3937

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-11T12:15:09.637

Modified: 2023-08-18T14:30:09.183

Link: CVE-2023-3937

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3937", "assignerOrgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "state": "PUBLISHED", "assignerShortName": "Snow", "dateReserved": "2023-07-25T13:29:16.203Z", "datePublished": "2023-08-11T11:28:30.185Z", "dateUpdated": "2024-08-02T07:08:50.686Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "x86", "64 bit", "32 bit"], "product": "Snow License Manager", "vendor": "Snow Software", "versions": [{"lessThanOrEqual": "9.30.1", "status": "affected", "version": "9.0.0", "versionType": "0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Can Do\u011fu & Himanshu Giri"}], "datePublic": "2023-08-11T01:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser"}], "value": "Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ea911274-ddd9-4e68-b39a-d7d6ae8b8a65", "shortName": "Snow", "dateUpdated": "2023-08-11T13:53:50.811Z"}, "references": [{"url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to SLM version 9.30.2"}], "value": "Upgrade to SLM version 9.30.2"}], "source": {"discovery": "EXTERNAL"}, "title": "Cross site scripting vulnerabilities in Snow License Manager", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:50.686Z"}, "title": "CVE Program Container", "references": [{"url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:snowsoftware:snow_license_manager:*:*:*:*:service_provider:*:*:*", "matchCriteriaId": "37BB220A-0027-4C55-9EE3-25815A917061", "versionEndIncluding": "9.30.1", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser"}, {"lang": "es", "value": "La vulnerabilidad de cross site scripting en el portal web del Snow Software License Manager desde la versi\u00f3n 9.0.0 hasta la 9.30.1 inclusive en Windows permite a un usuario autenticado con privilegios elevados desencadenar un ataque de cross site scripting a trav\u00e9s del navegador web.\n"}], "id": "CVE-2023-3937", "lastModified": "2023-08-18T14:30:09.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security@snowsoftware.com", "type": "Secondary"}]}, "published": "2023-08-11T12:15:09.637", "references": [{"source": "security@snowsoftware.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://community.snowsoftware.com/s/feed/0D56M00009gUexuSAC"}], "sourceIdentifier": "security@snowsoftware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@snowsoftware.com", "type": "Secondary"}]}