Sign-up

ID

VAR-201812-0478


CVE

CVE-2018-18991


TITLE

iniNet SpiderControl SCADA WebServer Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1 // CNVD: CNVD-2018-25282 // CNNVD: CNNVD-201812-126

DESCRIPTION

Reflected cross-site scripting (non-persistent) in SCADA WebServer (Versions prior to 2.03.0001) could allow an attacker to send a crafted URL that contains JavaScript, which can be reflected off the web application to the victim's browser. SCADA WebServer Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. iniNetSpiderControlSCADAWebServer is a SCADA system server from Swiss iniNetSolutions. A cross-site scripting vulnerability exists in versions prior to iniNetSpiderControlSCADAWebServer2.03.0001. A remote attacker could exploit the vulnerability to execute JavaScript code by sending a specially crafted URL. Successful exploits will result in the execution of arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.61

sources: NVD: CVE-2018-18991 // JVNDB: JVNDB-2018-012969 // CNVD: CNVD-2018-25282 // BID: 106105 // IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1 // CNVD: CNVD-2018-25282

AFFECTED PRODUCTS

vendor:spidercontrolmodel:scada webserverscope:ltversion:2.03.0001

Trust: 1.0

vendor:ininetmodel:scada web serverscope:ltversion:2.03.0001

Trust: 0.8

vendor:ininetmodel:solutions ininet spidercontrol scada webserverscope:ltversion:2.03.0001

Trust: 0.6

vendor:spidercontrolmodel:scada web serverscope:eqversion:2.3

Trust: 0.3

vendor:spidercontrolmodel:scada web serverscope:neversion:2.3.1

Trust: 0.3

vendor:scada webservermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1 // CNVD: CNVD-2018-25282 // BID: 106105 // JVNDB: JVNDB-2018-012969 // NVD: CVE-2018-18991

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-18991
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-18991
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-25282
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201812-126
value: MEDIUM

Trust: 0.6

IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2018-18991
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-25282
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-18991
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1 // CNVD: CNVD-2018-25282 // JVNDB: JVNDB-2018-012969 // CNNVD: CNNVD-201812-126 // NVD: CVE-2018-18991

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-012969 // NVD: CVE-2018-18991

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-126

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201812-126

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-012969

PATCH
title:Top Pageurl:http://spidercontrol.net/
Trust: 0.8
title:Patch for iniNetSpiderControlSCADAWebServer cross-site scripting vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/146971
Trust: 0.6
title:iniNet SpiderControl SCADA WebServer Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=87422
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-25282 // 
            
            
            
            JVNDB: JVNDB-2018-012969 // 
            
            
            
            CNNVD: CNNVD-201812-126

EXTERNAL IDS
db:NVDid:CVE-2018-18991
Trust: 3.5
db:ICS CERTid:ICSA-18-338-02
Trust: 3.3
db:BIDid:106105
Trust: 2.5
db:CNVDid:CNVD-2018-25282
Trust: 0.8
db:CNNVDid:CNNVD-201812-126
Trust: 0.8
db:JVNDBid:JVNDB-2018-012969
Trust: 0.8
db:IVDid:7D825C0F-463F-11E9-94AC-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: 7d825c0f-463f-11e9-94ac-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-25282 // 
            
            
            
            BID: 106105 // 
            
            
            
            JVNDB: JVNDB-2018-012969 // 
            
            
            
            CNNVD: CNNVD-201812-126 // 
            
            
            
            NVD: CVE-2018-18991

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-338-02
Trust: 3.3
url:http://www.securityfocus.com/bid/106105
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18991
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-18991
Trust: 0.8
url:http://spidercontrol.net/download/downloadarea/?lang=en
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-25282 // 
            
            
            
            BID: 106105 // 
            
            
            
            JVNDB: JVNDB-2018-012969 // 
            
            
            
            CNNVD: CNNVD-201812-126 // 
            
            
            
            NVD: CVE-2018-18991

CREDITS
Ismail Bulbul
Trust: 0.3
sources:
            
            
            BID: 106105

SOURCES
db:IVDid:7d825c0f-463f-11e9-94ac-000c29342cb1
db:CNVDid:CNVD-2018-25282
db:BIDid:106105
db:JVNDBid:JVNDB-2018-012969
db:CNNVDid:CNNVD-201812-126
db:NVDid:CVE-2018-18991

LAST UPDATE DATE
2024-11-23T22:48:31.514000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-25282date:2018-12-14T00:00:00
db:BIDid:106105date:2018-12-04T00:00:00
db:JVNDBid:JVNDB-2018-012969date:2019-02-12T00:00:00
db:CNNVDid:CNNVD-201812-126date:2019-10-17T00:00:00
db:NVDid:CVE-2018-18991date:2024-11-21T03:56:59.973

SOURCES RELEASE DATE
db:IVDid:7d825c0f-463f-11e9-94ac-000c29342cb1date:2018-12-14T00:00:00
db:CNVDid:CNVD-2018-25282date:2018-12-13T00:00:00
db:BIDid:106105date:2018-12-04T00:00:00
db:JVNDBid:JVNDB-2018-012969date:2019-02-12T00:00:00
db:CNNVDid:CNNVD-201812-126date:2018-12-05T00:00:00
db:NVDid:CVE-2018-18991date:2018-12-04T21:29:00.333