Details of VAR-201806-0750

ID

VAR-201806-0750

CVE

CVE-2018-12353

TITLE

Knowage Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-11815 // CNNVD: CNNVD-201806-816

DESCRIPTION

Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name field to the "Business Model's Catalogue" catalogue. Knowage ( Old SpagoBI) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Knowage (formerly known as SpagoBI) is an open source suite for modern business analysis on traditional resources and big data systems from Knowage, Italy. A cross-site scripting vulnerability exists in Knowage 6.1.1. A remote attacker could use this vulnerability to inject arbitrary Web scripts or HTML by sending a name field to the 'Business Model's Catalogue' directory

Trust: 2.16

sources: NVD: CVE-2018-12353 // JVNDB: JVNDB-2018-006200 // CNVD: CNVD-2018-11815

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-11815

AFFECTED PRODUCTS

vendor:	knowage suite	model:	knowage	scope:	eq	version:	6.1.1	Trust: 1.6
vendor:	knowage	model:	knowage	scope:	eq	version:	6.1.1	Trust: 1.4

sources: CNVD: CNVD-2018-11815 // JVNDB: JVNDB-2018-006200 // CNNVD: CNNVD-201806-816 // NVD: CVE-2018-12353

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-12353
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-12353
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-11815
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201806-816
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-12353
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-11815
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-12353
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-11815 // JVNDB: JVNDB-2018-006200 // CNNVD: CNNVD-201806-816 // NVD: CVE-2018-12353

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-006200 // NVD: CVE-2018-12353

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-816

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201806-816

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006200

PATCH

title:

Top Page

url:

https://www.knowage-suite.com/site/home/

Trust: 0.8

sources: JVNDB: JVNDB-2018-006200

EXTERNAL IDS

db:	NVD	id:	CVE-2018-12353	Trust: 3.0
db:	JVNDB	id:	JVNDB-2018-006200	Trust: 0.8
db:	CNVD	id:	CNVD-2018-11815	Trust: 0.6
db:	CNNVD	id:	CNNVD-201806-816	Trust: 0.6

sources: CNVD: CNVD-2018-11815 // JVNDB: JVNDB-2018-006200 // CNNVD: CNNVD-201806-816 // NVD: CVE-2018-12353

REFERENCES

url:	https://medium.com/stolabs/security-issue-on-knowage-spagobi-ec539a68e55	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12353	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12353	Trust: 0.8

sources: CNVD: CNVD-2018-11815 // JVNDB: JVNDB-2018-006200 // CNNVD: CNNVD-201806-816 // NVD: CVE-2018-12353

SOURCES

db:	CNVD	id:	CNVD-2018-11815
db:	JVNDB	id:	JVNDB-2018-006200
db:	CNNVD	id:	CNNVD-201806-816
db:	NVD	id:	CVE-2018-12353

LAST UPDATE DATE

2024-11-23T22:26:22.339000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-11815	date:	2018-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-006200	date:	2018-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201806-816	date:	2018-06-14T00:00:00
db:	NVD	id:	CVE-2018-12353	date:	2024-11-21T03:45:01.763

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-11815	date:	2018-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-006200	date:	2018-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201806-816	date:	2018-06-14T00:00:00
db:	NVD	id:	CVE-2018-12353	date:	2018-06-13T23:29:00.473