Details of VAR-201901-0860

ID

VAR-201901-0860

CVE

CVE-2018-18985

TITLE

plural Tridium Niagara Product Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-013990

DESCRIPTION

Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality. plural Tridium Niagara Product Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Multiple Tridium Products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2018-18985 // JVNDB: JVNDB-2018-013990 // BID: 106530

AFFECTED PRODUCTS

vendor:	tridium	model:	niagara enterprise security	scope:	lt	version:	2.3.118.6	Trust: 1.0
vendor:	tridium	model:	niagara	scope:	lt	version:	4.4.93.40.2	Trust: 1.0
vendor:	tridium	model:	niagara ax framework	scope:	eq	version:	3.8u4	Trust: 1.0
vendor:	tridium	model:	niagara	scope:	lt	version:	4.6.96.28.4	Trust: 1.0
vendor:	tridium	model:	niagara enterprise security	scope:	eq	version:	2.3u1	Trust: 1.0
vendor:	tridium	model:	niagara ax framework	scope:	lt	version:	3.8.401.1	Trust: 1.0
vendor:	tridium	model:	niagara	scope:	eq	version:	4.4u2	Trust: 1.0
vendor:	tridium	model:	niagara	scope:	gte	version:	4.6	Trust: 1.0
vendor:	tridium	model:	niagara	scope:	lt	version:	4.4u2 4.4.93.40.2	Trust: 0.8
vendor:	tridium	model:	niagara	scope:	lt	version:	niagara 4.6 4.6.96.28.4	Trust: 0.8
vendor:	tridium	model:	niagara ax framework	scope:	lt	version:	3.8u4 3.8.401.1	Trust: 0.8
vendor:	tridium	model:	niagara enterprise security	scope:	lt	version:	2.3u1 2.3.118.6	Trust: 0.8
vendor:	tridium	model:	niagara enterprise security 2.3u1	scope:	-	version:	-	Trust: 0.3
vendor:	tridium	model:	niagara ax 3.8u4	scope:	-	version:	-	Trust: 0.3
vendor:	tridium	model:	niagara	scope:	eq	version:	4.6	Trust: 0.3
vendor:	tridium	model:	niagara 4.4u2	scope:	-	version:	-	Trust: 0.3
vendor:	tridium	model:	niagara enterprise security	scope:	ne	version:	2.3.118.6	Trust: 0.3
vendor:	tridium	model:	niagara ax	scope:	ne	version:	3.8.401.1	Trust: 0.3
vendor:	tridium	model:	niagara	scope:	ne	version:	4.6.96.28.4	Trust: 0.3
vendor:	tridium	model:	niagara	scope:	ne	version:	4.4.93.40.2	Trust: 0.3

sources: BID: 106530 // JVNDB: JVNDB-2018-013990 // NVD: CVE-2018-18985

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-18985
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-18985
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201901-430
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-18985
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2018-18985
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2018-013990 // CNNVD: CNNVD-201901-430 // NVD: CVE-2018-18985

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-013990 // NVD: CVE-2018-18985

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-430

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201901-430

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013990

PATCH

title:	Top Page	url:	https://www.tridium.com/	Trust: 0.8
title:	TRIDIUM Niagara Enterprise Security , Niagara AX and Niagara Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88589	Trust: 0.6

sources: JVNDB: JVNDB-2018-013990 // CNNVD: CNNVD-201901-430

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-18-333-02	Trust: 2.7
db:	NVD	id:	CVE-2018-18985	Trust: 2.7
db:	BID	id:	106530	Trust: 1.9
db:	JVNDB	id:	JVNDB-2018-013990	Trust: 0.8
db:	CNNVD	id:	CNNVD-201901-430	Trust: 0.6

sources: BID: 106530 // JVNDB: JVNDB-2018-013990 // CNNVD: CNNVD-201901-430 // NVD: CVE-2018-18985

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-333-02	Trust: 2.7
url:	http://www.securityfocus.com/bid/106530	Trust: 2.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18985	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18985	Trust: 0.8
url:	https://www.tridium.com/	Trust: 0.3

sources: BID: 106530 // JVNDB: JVNDB-2018-013990 // CNNVD: CNNVD-201901-430 // NVD: CVE-2018-18985

CREDITS

Daniel Santos and Elisa Costante of SecurityMatters

Trust: 0.9

sources: BID: 106530 // CNNVD: CNNVD-201901-430

SOURCES

db:	BID	id:	106530
db:	JVNDB	id:	JVNDB-2018-013990
db:	CNNVD	id:	CNNVD-201901-430
db:	NVD	id:	CVE-2018-18985

LAST UPDATE DATE

2024-11-23T22:55:40.355000+00:00

SOURCES UPDATE DATE

db:	BID	id:	106530	date:	2019-01-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-013990	date:	2019-03-07T00:00:00
db:	CNNVD	id:	CNNVD-201901-430	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-18985	date:	2024-11-21T03:56:59.257

SOURCES RELEASE DATE

db:	BID	id:	106530	date:	2019-01-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-013990	date:	2019-03-07T00:00:00
db:	CNNVD	id:	CNNVD-201901-430	date:	2019-01-14T00:00:00
db:	NVD	id:	CVE-2018-18985	date:	2019-01-29T16:29:00.483