Sign-up

ID

VAR-201712-0117


CVE

CVE-2017-16721


TITLE

Geovap Reliance SCADA Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1 // CNVD: CNVD-2017-35814

DESCRIPTION

A Cross-site Scripting issue was discovered in Geovap Reliance SCADA Version 4.7.3 Update 2 and prior. This vulnerability could allow an unauthenticated attacker to inject arbitrary code. Reliance is a professional SCADA/HMI system designed for visualization and control of industrial processes as well as building and home automation. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.61

sources: NVD: CVE-2017-16721 // JVNDB: JVNDB-2017-010953 // CNVD: CNVD-2017-35814 // BID: 102031 // IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1 // CNVD: CNVD-2017-35814

AFFECTED PRODUCTS

vendor:geovapmodel:reliance-scadascope:eqversion:4.7.3

Trust: 1.6

vendor:geovapmodel:reliance-scadascope:lteversion:4.7.1

Trust: 1.0

vendor:geovapmodel:reliance-scadascope:eqversion:4.7.2

Trust: 1.0

vendor:geovap spol s r omodel:reliance scadascope:lteversion:4.7.3 update 2

Trust: 0.8

vendor:reliance scadamodel: - scope:eqversion:4.7.2

Trust: 0.6

vendor:reliance scadamodel: - scope:eqversion:4.7.3

Trust: 0.6

vendor:geovapmodel:reliance scada updatescope:lteversion:<=v4.7.32

Trust: 0.6

vendor:geovapmodel:reliance scada updatescope:eqversion:4.7.32

Trust: 0.3

vendor:geovapmodel:reliance scada updatescope:eqversion:4.7.31

Trust: 0.3

vendor:geovapmodel:reliance scadascope:eqversion:4.7.3

Trust: 0.3

vendor:geovapmodel:reliance scadascope:eqversion:4.6

Trust: 0.3

vendor:geovapmodel:reliance scadascope:eqversion:4.5

Trust: 0.3

vendor:geovapmodel:reliance scada updatescope:neversion:4.7.33

Trust: 0.3

vendor:reliance scadamodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1 // CNVD: CNVD-2017-35814 // BID: 102031 // JVNDB: JVNDB-2017-010953 // CNNVD: CNNVD-201711-1262 // NVD: CVE-2017-16721

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16721
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-16721
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-35814
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201711-1262
value: MEDIUM

Trust: 0.6

IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2017-16721
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-35814
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-16721
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2017-16721
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1 // CNVD: CNVD-2017-35814 // JVNDB: JVNDB-2017-010953 // CNNVD: CNNVD-201711-1262 // NVD: CVE-2017-16721

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-010953 // NVD: CVE-2017-16721

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-1262

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201711-1262

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-010953

PATCH
title:Reliance SCADA/HMI system for downloadurl:https://www.reliance-scada.com/en/download
Trust: 0.8
title:Patch for Geovap Reliance SCADA Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/107563
Trust: 0.6
title:GEOVAP Relliance SCADA Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76861
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-35814 // 
            
            
            
            JVNDB: JVNDB-2017-010953 // 
            
            
            
            CNNVD: CNNVD-201711-1262

EXTERNAL IDS
db:NVDid:CVE-2017-16721
Trust: 3.5
db:ICS CERTid:ICSA-17-334-02
Trust: 3.3
db:BIDid:102031
Trust: 1.9
db:CNVDid:CNVD-2017-35814
Trust: 0.8
db:CNNVDid:CNNVD-201711-1262
Trust: 0.8
db:JVNDBid:JVNDB-2017-010953
Trust: 0.8
db:IVDid:E2DEE4C0-39AB-11E9-8CBE-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2dee4c0-39ab-11e9-8cbe-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2017-35814 // 
            
            
            
            BID: 102031 // 
            
            
            
            JVNDB: JVNDB-2017-010953 // 
            
            
            
            CNNVD: CNNVD-201711-1262 // 
            
            
            
            NVD: CVE-2017-16721

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-334-02
Trust: 3.3
url:http://www.securityfocus.com/bid/102031
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16721
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-16721
Trust: 0.8
url:https://www.reliance-scada.com/en/main
Trust: 0.3
url:https://www.reliance-scada.com/files-to-download/documentation/reliance4/reliancehistory_enu.html
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-35814 // 
            
            
            
            BID: 102031 // 
            
            
            
            JVNDB: JVNDB-2017-010953 // 
            
            
            
            CNNVD: CNNVD-201711-1262 // 
            
            
            
            NVD: CVE-2017-16721

CREDITS
Can Demirel
Trust: 0.9
sources:
            
            
            BID: 102031 // 
            
            
            
            CNNVD: CNNVD-201711-1262

SOURCES
db:IVDid:e2dee4c0-39ab-11e9-8cbe-000c29342cb1
db:CNVDid:CNVD-2017-35814
db:BIDid:102031
db:JVNDBid:JVNDB-2017-010953
db:CNNVDid:CNNVD-201711-1262
db:NVDid:CVE-2017-16721

LAST UPDATE DATE
2025-04-20T23:30:49.863000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-35814date:2017-12-01T00:00:00
db:BIDid:102031date:2017-12-19T22:37:00
db:JVNDBid:JVNDB-2017-010953date:2017-12-27T00:00:00
db:CNNVDid:CNNVD-201711-1262date:2019-10-17T00:00:00
db:NVDid:CVE-2017-16721date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:e2dee4c0-39ab-11e9-8cbe-000c29342cb1date:2017-12-01T00:00:00
db:CNVDid:CNVD-2017-35814date:2017-12-01T00:00:00
db:BIDid:102031date:2017-11-30T00:00:00
db:JVNDBid:JVNDB-2017-010953date:2017-12-27T00:00:00
db:CNNVDid:CNNVD-201711-1262date:2017-12-01T00:00:00
db:NVDid:CVE-2017-16721date:2017-12-04T15:29:00.193