Details of VAR-201806-0752

ID

VAR-201806-0752

CVE

CVE-2018-12355

TITLE

Knowage Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-006201

DESCRIPTION

Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name or description field to the "Olap Schemas' Catalogue" catalogue. Knowage ( Old SpagoBI) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Knowage (formerly known as SpagoBI) is an open source suite for modern business analysis on traditional resources and big data systems from Knowage, Italy. A cross-site scripting vulnerability exists in Knowage 6.1.1. A remote attacker could use this vulnerability to inject arbitrary Web scripts or HTML by sending a name or description field to the 'Olap Schemas' Catalogue' directory

Trust: 2.16

sources: NVD: CVE-2018-12355 // JVNDB: JVNDB-2018-006201 // CNVD: CNVD-2018-11813

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-11813

AFFECTED PRODUCTS

vendor:	knowage	model:	knowage	scope:	eq	version:	6.1.1	Trust: 1.4
vendor:	eng	model:	knowage	scope:	eq	version:	6.1.1	Trust: 1.0
vendor:	knowage suite	model:	knowage	scope:	eq	version:	6.1.1	Trust: 0.6

sources: CNVD: CNVD-2018-11813 // JVNDB: JVNDB-2018-006201 // CNNVD: CNNVD-201806-814 // NVD: CVE-2018-12355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-12355
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-12355
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-11813
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201806-814
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-12355
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-11813
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-12355
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2018-12355
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2018-11813 // JVNDB: JVNDB-2018-006201 // CNNVD: CNNVD-201806-814 // NVD: CVE-2018-12355

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-006201 // NVD: CVE-2018-12355

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-814

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201806-814

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006201

PATCH

title:

Top Page

url:

https://www.knowage-suite.com/site/home/

Trust: 0.8

sources: JVNDB: JVNDB-2018-006201

EXTERNAL IDS

db:	NVD	id:	CVE-2018-12355	Trust: 3.0
db:	JVNDB	id:	JVNDB-2018-006201	Trust: 0.8
db:	CNVD	id:	CNVD-2018-11813	Trust: 0.6
db:	CNNVD	id:	CNNVD-201806-814	Trust: 0.6

sources: CNVD: CNVD-2018-11813 // JVNDB: JVNDB-2018-006201 // CNNVD: CNNVD-201806-814 // NVD: CVE-2018-12355

REFERENCES

url:	https://medium.com/stolabs/security-issue-on-knowage-spagobi-ec539a68e55	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12355	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12355	Trust: 0.8

sources: CNVD: CNVD-2018-11813 // JVNDB: JVNDB-2018-006201 // CNNVD: CNNVD-201806-814 // NVD: CVE-2018-12355

SOURCES

db:	CNVD	id:	CNVD-2018-11813
db:	JVNDB	id:	JVNDB-2018-006201
db:	CNNVD	id:	CNNVD-201806-814
db:	NVD	id:	CVE-2018-12355

LAST UPDATE DATE

2024-11-23T22:38:08.042000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-11813	date:	2018-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-006201	date:	2018-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201806-814	date:	2020-06-05T00:00:00
db:	NVD	id:	CVE-2018-12355	date:	2024-11-21T03:45:02.070

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-11813	date:	2018-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-006201	date:	2018-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201806-814	date:	2018-06-14T00:00:00
db:	NVD	id:	CVE-2018-12355	date:	2018-06-13T23:29:00.567