Details of VAR-201912-0904

ID

VAR-201912-0904

CVE

CVE-2019-19368

TITLE

Rumpus FTP Web File Manager Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-03550 // CNNVD: CNNVD-201912-719

DESCRIPTION

A Reflected Cross Site Scripting was discovered in the Login page of Rumpus FTP Web File Manager 8.2.9.1. An attacker can exploit it by sending a crafted link to end users and can execute arbitrary Javascripts. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2019-19368 // JVNDB: JVNDB-2019-013417 // CNVD: CNVD-2020-03550 // VULMON: CVE-2019-19368

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-03550

AFFECTED PRODUCTS

vendor:	maxum	model:	rumpus	scope:	eq	version:	8.2.9.1	Trust: 2.4
vendor:	rumpus	model:	ftp web file manager	scope:	eq	version:	8.2.9.1	Trust: 0.6

sources: CNVD: CNVD-2020-03550 // JVNDB: JVNDB-2019-013417 // NVD: CVE-2019-19368 // CNNVD: CNNVD-201912-719

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2019-19368
value:	MEDIUM
Trust: 1.8
CNVD:	CNVD-2020-03550
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201912-719
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2019-19368
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	TRUE
version:	2.0
Trust: 1.0
NVD:	CVE-2019-19368
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9
CNVD:	CNVD-2020-03550
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

NVD:
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2019-19368
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-03550 // VULMON: CVE-2019-19368 // JVNDB: JVNDB-2019-013417 // NVD: CVE-2019-19368 // CNNVD: CNNVD-201912-719

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2019-013417 // NVD: CVE-2019-19368

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-719

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201912-719

CONFIGURATIONS

sources: NVD: CVE-2019-19368

PATCH

title:	Rumpus	url:	https://www.maxum.com/rumpus/download.html	Trust: 0.8
title:	Patch for Rumpus FTP Web File Manager Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchinfo/show/198805	Trust: 0.6
title:	Rumpus FTP Web File Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=105747	Trust: 0.6
title:	nuclei-templates	url:	https://github.com/projectdiscovery/nuclei-templates	Trust: 0.1
title:	nuclei-templates	url:	https://github.com/storenth/nuclei-templates	Trust: 0.1
title:	kenzer-templates	url:	https://github.com/elsfa7-110/kenzer-templates	Trust: 0.1
title:	kenzer-templates	url:	https://github.com/arpsyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2020-03550 // VULMON: CVE-2019-19368 // JVNDB: JVNDB-2019-013417 // CNNVD: CNNVD-201912-719

EXTERNAL IDS

db:	NVD	id:	CVE-2019-19368	Trust: 3.1
db:	PACKETSTORM	id:	155719	Trust: 2.5
db:	JVN	id:	JVNVU93632155	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-013417	Trust: 0.8
db:	CNVD	id:	CNVD-2020-03550	Trust: 0.6
db:	CNNVD	id:	CNNVD-201912-719	Trust: 0.6
db:	VULMON	id:	CVE-2019-19368	Trust: 0.1

sources: CNVD: CNVD-2020-03550 // VULMON: CVE-2019-19368 // JVNDB: JVNDB-2019-013417 // NVD: CVE-2019-19368 // CNNVD: CNNVD-201912-719

REFERENCES

url:	http://packetstormsecurity.com/files/155719/rumpus-ftp-web-file-manager-8.2.9.1-cross-site-scripting.html	Trust: 2.6
url:	https://github.com/harshit-shukla/cve-2019-19368/	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19368	Trust: 2.0
url:	https://www.maxum.com/rumpus/download.html	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19368	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu93632155/	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/projectdiscovery/nuclei-templates	Trust: 0.1

sources: CNVD: CNVD-2020-03550 // VULMON: CVE-2019-19368 // JVNDB: JVNDB-2019-013417 // NVD: CVE-2019-19368 // CNNVD: CNNVD-201912-719

CREDITS

Sudeepto Roy

Trust: 0.6

sources: CNNVD: CNNVD-201912-719

SOURCES

db:	CNVD	id:	CNVD-2020-03550
db:	VULMON	id:	CVE-2019-19368
db:	JVNDB	id:	JVNDB-2019-013417
db:	NVD	id:	CVE-2019-19368
db:	CNNVD	id:	CNNVD-201912-719

LAST UPDATE DATE

2023-12-18T11:19:28.896000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-03550	date:	2020-02-04T00:00:00
db:	VULMON	id:	CVE-2019-19368	date:	2019-12-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-013417	date:	2019-12-27T00:00:00
db:	NVD	id:	CVE-2019-19368	date:	2019-12-23T13:30:46.577
db:	CNNVD	id:	CNNVD-201912-719	date:	2019-12-24T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-03550	date:	2020-02-04T00:00:00
db:	VULMON	id:	CVE-2019-19368	date:	2019-12-16T00:00:00
db:	JVNDB	id:	JVNDB-2019-013417	date:	2019-12-27T00:00:00
db:	NVD	id:	CVE-2019-19368	date:	2019-12-16T16:15:11.737
db:	CNNVD	id:	CNNVD-201912-719	date:	2019-12-16T00:00:00