Sign-up

ID

VAR-201810-0491


CVE

CVE-2018-17904


TITLE

Geovap Reliance 4 SCADA/HMI cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-49321 // CNNVD: CNNVD-201810-1267

DESCRIPTION

Reliance 4 SCADA/HMI, Version 4.7.3 Update 3 and prior. This vulnerability could allow an unauthorized attacker to inject arbitrary code. Reliance 4 SCADA/HMI Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Geovap Reliance 4 SCADA/HMI is a set of industrial process and building automation monitoring system of GEOVAP company in the Czech Republic. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.52

sources: NVD: CVE-2018-17904 // JVNDB: JVNDB-2018-013872 // CNVD: CNVD-2020-49321 // BID: 105738 // VULMON: CVE-2018-17904

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-49321

AFFECTED PRODUCTS

vendor:geovapmodel:reliance 4scope:lteversion:4.7.3

Trust: 1.0

vendor:geovapmodel:reliance 4scope:eqversion:4.7.3

Trust: 1.0

vendor:geovap spol s r omodel:reliance scadascope:eqversion:4.7.3 update 3 and less

Trust: 0.8

vendor:geovapmodel:reliance updatescope:eqversion:4<=4.7.33

Trust: 0.6

vendor:geovapmodel:reliance scada updatescope:eqversion:4.7.33

Trust: 0.3

vendor:geovapmodel:reliance scada updatescope:eqversion:4.7.32

Trust: 0.3

vendor:geovapmodel:reliance scada updatescope:eqversion:4.7.31

Trust: 0.3

vendor:geovapmodel:reliance scadascope:eqversion:4.7.3

Trust: 0.3

vendor:geovapmodel:reliance scadascope:eqversion:4.6

Trust: 0.3

vendor:geovapmodel:reliance scadascope:eqversion:4.5

Trust: 0.3

vendor:geovapmodel:reliance scadascope:neversion:4.8

Trust: 0.3

sources: CNVD: CNVD-2020-49321 // BID: 105738 // JVNDB: JVNDB-2018-013872 // NVD: CVE-2018-17904

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-17904
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-17904
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-49321
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201810-1267
value: MEDIUM

Trust: 0.6

VULMON: CVE-2018-17904
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-17904
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2020-49321
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-17904
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2020-49321 // VULMON: CVE-2018-17904 // JVNDB: JVNDB-2018-013872 // CNNVD: CNNVD-201810-1267 // NVD: CVE-2018-17904

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-013872 // NVD: CVE-2018-17904

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1267

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201810-1267

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013872

PATCH
title:Reliance SCADA/HMI system for downloadurl:https://www.reliance-scada.com/en/download
Trust: 0.8
title:Patch for Geovap Reliance 4 SCADA/HMI cross-site scripting vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/232264
Trust: 0.6
title:GEOVAP Reliance 4 SCADA/HMI Security hole Repair measuresurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86342
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-49321 // 
            
            
            
            JVNDB: JVNDB-2018-013872 // 
            
            
            
            CNNVD: CNNVD-201810-1267

EXTERNAL IDS
db:NVDid:CVE-2018-17904
Trust: 3.4
db:ICS CERTid:ICSA-18-298-01
Trust: 3.4
db:BIDid:105738
Trust: 2.0
db:JVNDBid:JVNDB-2018-013872
Trust: 0.8
db:CNVDid:CNVD-2020-49321
Trust: 0.6
db:CNNVDid:CNNVD-201810-1267
Trust: 0.6
db:VULMONid:CVE-2018-17904
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-49321 // 
            
            
            
            VULMON: CVE-2018-17904 // 
            
            
            
            BID: 105738 // 
            
            
            
            JVNDB: JVNDB-2018-013872 // 
            
            
            
            CNNVD: CNNVD-201810-1267 // 
            
            
            
            NVD: CVE-2018-17904

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-298-01
Trust: 3.5
url:http://www.securityfocus.com/bid/105738
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17904
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-17904
Trust: 0.8
url:https://www.reliance-scada.com/en/main
Trust: 0.3
url:https://www.reliance-scada.com/en/support/articles/technical/what-is-new-in-reliance480#securitylevel
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-49321 // 
            
            
            
            VULMON: CVE-2018-17904 // 
            
            
            
            BID: 105738 // 
            
            
            
            JVNDB: JVNDB-2018-013872 // 
            
            
            
            CNNVD: CNNVD-201810-1267 // 
            
            
            
            NVD: CVE-2018-17904

CREDITS
Ismail Mert AY AK
Trust: 0.3
sources:
            
            
            BID: 105738

SOURCES
db:CNVDid:CNVD-2020-49321
db:VULMONid:CVE-2018-17904
db:BIDid:105738
db:JVNDBid:JVNDB-2018-013872
db:CNNVDid:CNNVD-201810-1267
db:NVDid:CVE-2018-17904

LAST UPDATE DATE
2024-11-23T23:08:34.345000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-49321date:2020-08-30T00:00:00
db:VULMONid:CVE-2018-17904date:2019-10-09T00:00:00
db:BIDid:105738date:2018-10-25T00:00:00
db:JVNDBid:JVNDB-2018-013872date:2019-03-05T00:00:00
db:CNNVDid:CNNVD-201810-1267date:2019-10-17T00:00:00
db:NVDid:CVE-2018-17904date:2024-11-21T03:55:10.690

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-49321date:2020-08-29T00:00:00
db:VULMONid:CVE-2018-17904date:2018-10-25T00:00:00
db:BIDid:105738date:2018-10-25T00:00:00
db:JVNDBid:JVNDB-2018-013872date:2019-03-05T00:00:00
db:CNNVDid:CNNVD-201810-1267date:2018-10-26T00:00:00
db:NVDid:CVE-2018-17904date:2018-10-25T22:29:00.220