Details of VAR-201702-0668

ID

VAR-201702-0668

CVE

CVE-2017-2683

TITLE

Siemens RuggedCom NMS Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: 5e12c641-3b1a-4cbe-b384-0cf8bcd22bec // CNVD: CNVD-2017-01836 // CNNVD: CNNVD-201702-913

DESCRIPTION

A non-privileged user of the Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could perform a persistent Cross-Site Scripting (XSS) attack, potentially resulting in obtaining administrative permissions. RUGGEDCOM NMS is an enterprise-level solution for the monitoring, configuration and maintenance of RUGGEDCOM mission-critical networks by Siemens AG. Siemens RUGGEDCOM NMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Versions prior to Siemens RUGGEDCOM NMS 2.1 are vulnerable. An attacker could exploit this vulnerability to gain administrator privileges

Trust: 2.79

sources: NVD: CVE-2017-2683 // JVNDB: JVNDB-2017-001717 // CNVD: CNVD-2017-01836 // BID: 96455 // IVD: 5e12c641-3b1a-4cbe-b384-0cf8bcd22bec // VULHUB: VHN-110886 // VULMON: CVE-2017-2683

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 5e12c641-3b1a-4cbe-b384-0cf8bcd22bec // CNVD: CNVD-2017-01836

AFFECTED PRODUCTS

vendor:	siemens	model:	ruggedcom network management software	scope:	lte	version:	2.0.2	Trust: 1.0
vendor:	siemens	model:	ruggedcom nms	scope:	lt	version:	2.1 (windows and linux)	Trust: 0.8
vendor:	siemens	model:	ruggedcom nms	scope:	lt	version:	2.1	Trust: 0.6
vendor:	siemens	model:	ruggedcom network management software	scope:	eq	version:	2.0.2	Trust: 0.6
vendor:	ruggedcom network management	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 5e12c641-3b1a-4cbe-b384-0cf8bcd22bec // CNVD: CNVD-2017-01836 // JVNDB: JVNDB-2017-001717 // CNNVD: CNNVD-201702-913 // NVD: CVE-2017-2683

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-2683
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-2683
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-01836
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201702-913
value:	MEDIUM
Trust: 0.6
IVD:	5e12c641-3b1a-4cbe-b384-0cf8bcd22bec
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-110886
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-2683
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-2683
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-01836
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	5e12c641-3b1a-4cbe-b384-0cf8bcd22bec
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-110886
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-2683
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.7
version:	3.0
Trust: 1.8

sources: IVD: 5e12c641-3b1a-4cbe-b384-0cf8bcd22bec // CNVD: CNVD-2017-01836 // VULHUB: VHN-110886 // VULMON: CVE-2017-2683 // JVNDB: JVNDB-2017-001717 // CNNVD: CNNVD-201702-913 // NVD: CVE-2017-2683

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-110886 // JVNDB: JVNDB-2017-001717 // NVD: CVE-2017-2683

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-913

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201702-913

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-001717

PATCH

title:	SSA-363881	url:	http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-363881.pdf	Trust: 0.8
title:	Siemens RuggedCom NMS Cross-Site Scripting Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/89663	Trust: 0.6
title:	Siemens RUGGEDCOM NMS Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68061	Trust: 0.6

sources: CNVD: CNVD-2017-01836 // JVNDB: JVNDB-2017-001717 // CNNVD: CNNVD-201702-913

EXTERNAL IDS

db:	NVD	id:	CVE-2017-2683	Trust: 3.7
db:	ICS CERT	id:	ICSA-17-059-01	Trust: 2.3
db:	SIEMENS	id:	SSA-363881	Trust: 1.8
db:	BID	id:	96455	Trust: 1.5
db:	SECTRACK	id:	1037958	Trust: 1.2
db:	CNNVD	id:	CNNVD-201702-913	Trust: 0.9
db:	CNVD	id:	CNVD-2017-01836	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-001717	Trust: 0.8
db:	IVD	id:	5E12C641-3B1A-4CBE-B384-0CF8BCD22BEC	Trust: 0.2
db:	VULHUB	id:	VHN-110886	Trust: 0.1
db:	VULMON	id:	CVE-2017-2683	Trust: 0.1

sources: IVD: 5e12c641-3b1a-4cbe-b384-0cf8bcd22bec // CNVD: CNVD-2017-01836 // VULHUB: VHN-110886 // VULMON: CVE-2017-2683 // BID: 96455 // JVNDB: JVNDB-2017-001717 // CNNVD: CNNVD-201702-913 // NVD: CVE-2017-2683

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-059-01	Trust: 2.4
url:	http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-363881.pdf	Trust: 1.8
url:	http://www.securityfocus.com/bid/96455	Trust: 1.3
url:	http://www.securitytracker.com/id/1037958	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2683	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-2683	Trust: 0.8
url:	http://www.siemens.com/cert/en/cert-security-advisories.htm	Trust: 0.6
url:	http://www.siemens.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://tools.cisco.com/security/center/viewalert.x?alertid=52799	Trust: 0.1

sources: CNVD: CNVD-2017-01836 // VULHUB: VHN-110886 // VULMON: CVE-2017-2683 // BID: 96455 // JVNDB: JVNDB-2017-001717 // CNNVD: CNNVD-201702-913 // NVD: CVE-2017-2683

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 96455

SOURCES

db:	IVD	id:	5e12c641-3b1a-4cbe-b384-0cf8bcd22bec
db:	CNVD	id:	CNVD-2017-01836
db:	VULHUB	id:	VHN-110886
db:	VULMON	id:	CVE-2017-2683
db:	BID	id:	96455
db:	JVNDB	id:	JVNDB-2017-001717
db:	CNNVD	id:	CNNVD-201702-913
db:	NVD	id:	CVE-2017-2683

LAST UPDATE DATE

2025-04-20T23:27:28.126000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-01836	date:	2017-02-24T00:00:00
db:	VULHUB	id:	VHN-110886	date:	2017-07-17T00:00:00
db:	VULMON	id:	CVE-2017-2683	date:	2017-07-17T00:00:00
db:	BID	id:	96455	date:	2017-03-07T01:08:00
db:	JVNDB	id:	JVNDB-2017-001717	date:	2017-03-15T00:00:00
db:	CNNVD	id:	CNNVD-201702-913	date:	2017-02-28T00:00:00
db:	NVD	id:	CVE-2017-2683	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	5e12c641-3b1a-4cbe-b384-0cf8bcd22bec	date:	2017-02-23T00:00:00
db:	CNVD	id:	CNVD-2017-01836	date:	2017-02-23T00:00:00
db:	VULHUB	id:	VHN-110886	date:	2017-02-27T00:00:00
db:	VULMON	id:	CVE-2017-2683	date:	2017-02-27T00:00:00
db:	BID	id:	96455	date:	2017-02-27T00:00:00
db:	JVNDB	id:	JVNDB-2017-001717	date:	2017-03-15T00:00:00
db:	CNNVD	id:	CNNVD-201702-913	date:	2017-02-28T00:00:00
db:	NVD	id:	CVE-2017-2683	date:	2017-02-27T11:59:00.197