Details of VAR-201912-1179

ID

VAR-201912-1179

CVE

CVE-2019-13930

TITLE

Siemens XHQ Cross-Site Request Forgery Vulnerability

Trust: 0.8

sources: IVD: aef90bd7-2dca-4bae-b0ac-fc91e114bbb8 // CNVD: CNVD-2019-46390

DESCRIPTION

A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known. XHQ Contains a cross-site request forgery vulnerability.Information may be obtained and information may be altered. Siemens XHQ production and operation intelligence is Siemens Energy's flagship solution, which is widely deployed in the world's largest oil and gas and chemical companies

Trust: 2.43

sources: NVD: CVE-2019-13930 // JVNDB: JVNDB-2019-013307 // CNVD: CNVD-2019-46390 // IVD: aef90bd7-2dca-4bae-b0ac-fc91e114bbb8 // VULMON: CVE-2019-13930

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: aef90bd7-2dca-4bae-b0ac-fc91e114bbb8 // CNVD: CNVD-2019-46390

AFFECTED PRODUCTS

vendor:	siemens	model:	xhq	scope:	lt	version:	6.0.0.2	Trust: 1.8
vendor:	siemens	model:	xhq	scope:	lt	version:	v6.0.0.2	Trust: 0.6
vendor:	xhq	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: aef90bd7-2dca-4bae-b0ac-fc91e114bbb8 // CNVD: CNVD-2019-46390 // JVNDB: JVNDB-2019-013307 // NVD: CVE-2019-13930

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13930
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-13930
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-46390
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201912-419
value:	HIGH
Trust: 0.6
IVD:	aef90bd7-2dca-4bae-b0ac-fc91e114bbb8
value:	HIGH
Trust: 0.2
VULMON:	CVE-2019-13930
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-13930
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-46390
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	aef90bd7-2dca-4bae-b0ac-fc91e114bbb8
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-13930
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2019-13930
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: aef90bd7-2dca-4bae-b0ac-fc91e114bbb8 // CNVD: CNVD-2019-46390 // VULMON: CVE-2019-13930 // JVNDB: JVNDB-2019-013307 // CNNVD: CNNVD-201912-419 // NVD: CVE-2019-13930

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2019-013307 // NVD: CVE-2019-13930

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-419

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201912-419

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013307

PATCH

title:	SSA-525454	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf	Trust: 0.8
title:	Patch for Siemens XHQ Cross-Site Request Forgery Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/194753	Trust: 0.6
title:	Siemens XHQ Operations Intelligence Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=105786	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=b34e28434e259a2141a8e8c34c306367	Trust: 0.1

sources: CNVD: CNVD-2019-46390 // VULMON: CVE-2019-13930 // JVNDB: JVNDB-2019-013307 // CNNVD: CNNVD-201912-419

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13930	Trust: 3.3
db:	SIEMENS	id:	SSA-525454	Trust: 1.7
db:	ICS CERT	id:	ICSA-19-344-05	Trust: 1.2
db:	CNVD	id:	CNVD-2019-46390	Trust: 0.8
db:	CNNVD	id:	CNNVD-201912-419	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-013307	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.4622	Trust: 0.6
db:	IVD	id:	AEF90BD7-2DCA-4BAE-B0AC-FC91E114BBB8	Trust: 0.2
db:	VULMON	id:	CVE-2019-13930	Trust: 0.1

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13930	Trust: 1.4
url:	https://www.us-cert.gov/ics/advisories/icsa-19-344-05	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13930	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.4622/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://cert-portal.siemens.com/productcert/txt/ssa-525454.txt	Trust: 0.1

sources: CNVD: CNVD-2019-46390 // VULMON: CVE-2019-13930 // JVNDB: JVNDB-2019-013307 // CNNVD: CNNVD-201912-419 // NVD: CVE-2019-13930

SOURCES

db:	IVD	id:	aef90bd7-2dca-4bae-b0ac-fc91e114bbb8
db:	CNVD	id:	CNVD-2019-46390
db:	VULMON	id:	CVE-2019-13930
db:	JVNDB	id:	JVNDB-2019-013307
db:	CNNVD	id:	CNNVD-201912-419
db:	NVD	id:	CVE-2019-13930

LAST UPDATE DATE

2024-11-23T21:59:33.362000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-46390	date:	2019-12-20T00:00:00
db:	VULMON	id:	CVE-2019-13930	date:	2019-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-013307	date:	2019-12-25T00:00:00
db:	CNNVD	id:	CNNVD-201912-419	date:	2020-06-09T00:00:00
db:	NVD	id:	CVE-2019-13930	date:	2024-11-21T04:25:43.183

SOURCES RELEASE DATE

db:	IVD	id:	aef90bd7-2dca-4bae-b0ac-fc91e114bbb8	date:	2019-12-20T00:00:00
db:	CNVD	id:	CNVD-2019-46390	date:	2019-12-20T00:00:00
db:	VULMON	id:	CVE-2019-13930	date:	2019-12-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-013307	date:	2019-12-25T00:00:00
db:	CNNVD	id:	CNNVD-201912-419	date:	2019-12-10T00:00:00
db:	NVD	id:	CVE-2019-13930	date:	2019-12-12T19:15:14.623