CVE-2024-5410 - OpenCVE

Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/May/36
https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/

History

No history.

MITRE

Status: PUBLISHED

Assigner: CyberDanube

Published: 2024-05-28T10:23:16.991Z

Updated: 2024-08-01T21:11:12.769Z

Reserved: 2024-05-27T08:36:53.398Z

Link: CVE-2024-5410

Vulnrichment

Updated: 2024-08-01T21:11:12.769Z

NVD

Status : Awaiting Analysis

Published: 2024-05-28T11:15:10.327

Modified: 2024-06-10T17:16:34.350

Link: CVE-2024-5410

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-5410", "assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "state": "PUBLISHED", "assignerShortName": "CyberDanube", "dateReserved": "2024-05-27T08:36:53.398Z", "datePublished": "2024-05-28T10:23:16.991Z", "dateUpdated": "2024-08-01T21:11:12.769Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "IAP-420", "vendor": "ORing", "versions": [{"lessThanOrEqual": "2.01e", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "T. Weber"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).<p>This issue affects IAP-420 version 2.01e and below.</p>"}], "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "shortName": "CyberDanube", "dateUpdated": "2024-05-28T10:23:16.991Z"}, "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/"}, {"url": "http://seclists.org/fulldisclosure/2024/May/36"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored Cross-Site Scripting", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:05:00.861450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:02:51.184Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.769Z"}, "title": "CVE Program Container", "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/May/36", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/May/36", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.769Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:05:00.861450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-29T18:05:05.974Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Stored Cross-Site Scripting", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "T. Weber"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ORing", "product": "IAP-420", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.01e"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/"}, {"url": "http://seclists.org/fulldisclosure/2024/May/36"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.", "supportingMedia": [{"type": "text/html", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).<p>This issue affects IAP-420 version 2.01e and below.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "shortName": "CyberDanube", "dateUpdated": "2024-05-28T10:23:16.991Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5410", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:12.769Z", "dateReserved": "2024-05-27T08:36:53.398Z", "assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "datePublished": "2024-05-28T10:23:16.991Z", "assignerShortName": "CyberDanube"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below."}, {"lang": "es", "value": "La falta de validaci\u00f3n de entrada en la interfaz web ORing del IAP-420 permite el almacenamiento de Cross-site scripting (XSS). Este problema afecta a la versi\u00f3n 2.01e y anteriores del IAP-420."}], "id": "CVE-2024-5410", "lastModified": "2024-06-10T17:16:34.350", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "LOW"}, "source": "office@cyberdanube.com", "type": "Secondary"}]}, "published": "2024-05-28T11:15:10.327", "references": [{"source": "office@cyberdanube.com", "url": "http://seclists.org/fulldisclosure/2024/May/36"}, {"source": "office@cyberdanube.com", "url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/"}], "sourceIdentifier": "office@cyberdanube.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "office@cyberdanube.com", "type": "Secondary"}]}