Sign-up

ID

VAR-201806-1408


CVE

CVE-2018-11448


TITLE

SIEMENS SCALANCE M875 Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1 // CNVD: CNVD-2018-11395 // CNNVD: CNNVD-201806-872

DESCRIPTION

A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a stored Cross-Site Scripting (XSS) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires that the attacker has access to the web interface of an affected device. The attacker must be authenticated as administrative user on the web interface. Afterwards, a legitimate user must access the web interface. A successful attack could allow an attacker to execute malicious code in the browser of a legitimate user. At the time of advisory publication no public exploitation of this security vulnerability was known. SCALANCE M875 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. SCALANCEM Industrial Routers are used for secure remote access to factories via mobile networks, such as GPRS or UMTS, with integrated security features of the firewall to prevent unauthorized access and VPNs to protect data transmission. Siemens SCALANCE M875 is an industrial-grade mobile wireless router product of Siemens

Trust: 2.43

sources: NVD: CVE-2018-11448 // JVNDB: JVNDB-2018-007058 // CNVD: CNVD-2018-11395 // IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1 // VULHUB: VHN-121308

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1 // CNVD: CNVD-2018-11395

AFFECTED PRODUCTS

vendor:siemensmodel:scalance m875scope:eqversion: -

Trust: 2.4

vendor:siemensmodel:scalance m875scope: - version: -

Trust: 0.6

vendor:scalance m875model: - scope:eqversion: -

Trust: 0.2

sources: IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1 // CNVD: CNVD-2018-11395 // JVNDB: JVNDB-2018-007058 // CNNVD: CNNVD-201806-872 // NVD: CVE-2018-11448

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-11448
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-11448
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-11395
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201806-872
value: MEDIUM

Trust: 0.6

IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1
value: MEDIUM

Trust: 0.2

VULHUB: VHN-121308
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-11448
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-11395
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-121308
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-11448
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1 // CNVD: CNVD-2018-11395 // VULHUB: VHN-121308 // JVNDB: JVNDB-2018-007058 // CNNVD: CNNVD-201806-872 // NVD: CVE-2018-11448

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

problemtype:CWE-352

Trust: 1.0

sources: VULHUB: VHN-121308 // JVNDB: JVNDB-2018-007058 // NVD: CVE-2018-11448

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-872

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201806-872

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-007058

PATCH
title:SSA-977428url:https://cert-portal.siemens.com/productcert/pdf/ssa-977428.pdf
Trust: 0.8
title:Patch for SIEMENSSCALANCEM875 Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/131851
Trust: 0.6
title:Siemens SCALANCE M875 Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80920
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-11395 // 
            
            
            
            JVNDB: JVNDB-2018-007058 // 
            
            
            
            CNNVD: CNNVD-201806-872

EXTERNAL IDS
db:NVDid:CVE-2018-11448
Trust: 3.3
db:SIEMENSid:SSA-977428
Trust: 2.3
db:CNNVDid:CNNVD-201806-872
Trust: 0.9
db:CNVDid:CNVD-2018-11395
Trust: 0.8
db:JVNDBid:JVNDB-2018-007058
Trust: 0.8
db:IVDid:E2F30900-39AB-11E9-A7BC-000C29342CB1
Trust: 0.2
db:VULHUBid:VHN-121308
Trust: 0.1
sources:
            
            
            IVD: e2f30900-39ab-11e9-a7bc-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-11395 // 
            
            
            
            VULHUB: VHN-121308 // 
            
            
            
            JVNDB: JVNDB-2018-007058 // 
            
            
            
            CNNVD: CNNVD-201806-872 // 
            
            
            
            NVD: CVE-2018-11448

REFERENCES
url:https://cert-portal.siemens.com/productcert/pdf/ssa-977428.pdf
Trust: 2.3
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11448
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-11448
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-11395 // 
            
            
            
            VULHUB: VHN-121308 // 
            
            
            
            JVNDB: JVNDB-2018-007058 // 
            
            
            
            CNNVD: CNNVD-201806-872 // 
            
            
            
            NVD: CVE-2018-11448

SOURCES
db:IVDid:e2f30900-39ab-11e9-a7bc-000c29342cb1
db:CNVDid:CNVD-2018-11395
db:VULHUBid:VHN-121308
db:JVNDBid:JVNDB-2018-007058
db:CNNVDid:CNNVD-201806-872
db:NVDid:CVE-2018-11448

LAST UPDATE DATE
2024-11-23T22:00:28.403000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-11395date:2018-06-13T00:00:00
db:VULHUBid:VHN-121308date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-007058date:2018-09-06T00:00:00
db:CNNVDid:CNNVD-201806-872date:2019-10-17T00:00:00
db:NVDid:CVE-2018-11448date:2024-11-21T03:43:23.363

SOURCES RELEASE DATE
db:IVDid:e2f30900-39ab-11e9-a7bc-000c29342cb1date:2018-06-13T00:00:00
db:CNVDid:CNVD-2018-11395date:2018-06-13T00:00:00
db:VULHUBid:VHN-121308date:2018-06-26T00:00:00
db:JVNDBid:JVNDB-2018-007058date:2018-09-06T00:00:00
db:CNNVDid:CNNVD-201806-872date:2018-06-13T00:00:00
db:NVDid:CVE-2018-11448date:2018-06-26T18:29:00.697