CVE-2024-5420 - OpenCVE

Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Jun/4
https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/index.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: CyberDanube

Published: 2024-06-04T07:48:27.789Z

Updated: 2024-08-01T21:11:12.786Z

Reserved: 2024-05-27T14:10:24.076Z

Link: CVE-2024-5420

Vulnrichment

Updated: 2024-08-01T21:11:12.786Z

NVD

Status : Awaiting Analysis

Published: 2024-06-04T08:15:11.170

Modified: 2024-06-10T18:15:38.367

Link: CVE-2024-5420

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-5420", "assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "state": "PUBLISHED", "assignerShortName": "CyberDanube", "dateReserved": "2024-05-27T14:10:24.076Z", "datePublished": "2024-06-04T07:48:27.789Z", "dateUpdated": "2024-08-01T21:11:12.786Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "utnserver Pro", "vendor": "SEH Computertechnik", "versions": [{"lessThanOrEqual": "20.1.22", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "utnserver ProMAX", "vendor": "SEH Computertechnik", "versions": [{"lessThanOrEqual": "20.1.22", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "INU-100", "vendor": "SEH Computertechnik", "versions": [{"lessThanOrEqual": "20.1.22", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "T. Weber"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Missing input validation in the </span>SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface <span style=\"background-color: rgb(255, 255, 255);\">allows stored Cross-Site Scripting (XSS).</span>.<p>This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.</p>"}], "value": "Missing input validation in the\u00a0SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface\u00a0allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "shortName": "CyberDanube", "dateUpdated": "2024-06-04T07:48:27.789Z"}, "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/index.html"}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/4"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored Cross-Site Scripting in SEH Computertechnik utnserver Pro", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5420", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-04T13:55:25.257397Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:seh:utnserver_pro:-:*:*:*:*:*:*:*"], "vendor": "seh", "product": "utnserver_pro", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:seh:utnserver_promax:-:*:*:*:*:*:*:*"], "vendor": "seh", "product": "utnserver_promax", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:seh:inu-100:-:*:*:*:*:*:*:*"], "vendor": "seh", "product": "inu-100", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:02:24.315Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.786Z"}, "title": "CVE Program Container", "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/index.html", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/4", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/index.html", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.786Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5420", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-04T13:55:25.257397Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:seh:utnserver_pro:-:*:*:*:*:*:*:*"], "vendor": "seh", "product": "utnserver_pro", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:seh:utnserver_promax:-:*:*:*:*:*:*:*"], "vendor": "seh", "product": "utnserver_promax", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:seh:inu-100:-:*:*:*:*:*:*:*"], "vendor": "seh", "product": "inu-100", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T13:54:23.135Z"}}], "cna": {"title": "Stored Cross-Site Scripting in SEH Computertechnik utnserver Pro", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "T. Weber"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SEH Computertechnik", "product": "utnserver Pro", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unaffected"}, {"vendor": "SEH Computertechnik", "product": "utnserver ProMAX", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unaffected"}, {"vendor": "SEH Computertechnik", "product": "INU-100", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.1.22"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/index.html"}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/4"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing input validation in the\u00a0SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface\u00a0allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Missing input validation in the </span>SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface <span style=\"background-color: rgb(255, 255, 255);\">allows stored Cross-Site Scripting (XSS).</span>.<p>This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "shortName": "CyberDanube", "dateUpdated": "2024-06-04T07:48:27.789Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5420", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:12.786Z", "dateReserved": "2024-05-27T14:10:24.076Z", "assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "datePublished": "2024-06-04T07:48:27.789Z", "assignerShortName": "CyberDanube"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing input validation in the\u00a0SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface\u00a0allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below."}, {"lang": "es", "value": "Falta la validaci\u00f3n de entrada en SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, la interfaz web de SEH Computertechnik INU-100 permite Cross-Site Scripting (XSS) Almacenado. Este problema afecta a utnserver Pro, utnserver ProMAX, INU-100 versi\u00f3n 20.1.22. y por debajo."}], "id": "CVE-2024-5420", "lastModified": "2024-06-10T18:15:38.367", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "LOW"}, "source": "office@cyberdanube.com", "type": "Secondary"}]}, "published": "2024-06-04T08:15:11.170", "references": [{"source": "office@cyberdanube.com", "url": "http://seclists.org/fulldisclosure/2024/Jun/4"}, {"source": "office@cyberdanube.com", "url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/index.html"}], "sourceIdentifier": "office@cyberdanube.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "office@cyberdanube.com", "type": "Secondary"}]}