Details of VAR-201912-1250

ID

VAR-201912-1250

CVE

CVE-2019-18571

TITLE

RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance Product cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-013710

DESCRIPTION

The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a reflected cross-site scripting vulnerability in the My Access Live module [MAL]. An authenticated malicious local user could potentially exploit this vulnerability by sending crafted URL with scripts. When victim users access the module through their browsers, the malicious code gets injected and executed by the web browser in the context of the vulnerable web application. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2019-18571 // JVNDB: JVNDB-2019-013710 // VULHUB: VHN-150931

AFFECTED PRODUCTS

vendor:	dell	model:	rsa identity governance and lifecycle	scope:	eq	version:	7.0	Trust: 1.0
vendor:	dell	model:	rsa identity governance and lifecycle	scope:	eq	version:	7.1.0	Trust: 1.0
vendor:	dell	model:	rsa identity governance and lifecycle	scope:	eq	version:	7.1.1	Trust: 1.0
vendor:	dell	model:	rsa identity governance and lifecycle	scope:	eq	version:	7.0.1	Trust: 1.0
vendor:	dell	model:	rsa identity governance and lifecycle	scope:	eq	version:	7.0.2	Trust: 1.0
vendor:	dell emc old emc	model:	rsa identity governance and lifecycle	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-013710 // NVD: CVE-2019-18571

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-18571
value:	MEDIUM
Trust: 1.0
security_alert@emc.com:	CVE-2019-18571
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-18571
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201912-881
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-150931
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-18571
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-150931
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

security_alert@emc.com:	CVE-2019-18571
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-18571
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-150931 // JVNDB: JVNDB-2019-013710 // CNNVD: CNNVD-201912-881 // NVD: CVE-2019-18571 // NVD: CVE-2019-18571

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-150931 // JVNDB: JVNDB-2019-013710 // NVD: CVE-2019-18571

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-881

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201912-881

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013710

PATCH

title:	DSA-2019-164: RSA Identity Governance and Lifecycle Product Security Update for Multiple Vulnerabilities	url:	https://www.dell.com/support/security/en-us/details/DOC-109310/DSA-2019-164-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi	Trust: 0.8
title:	Dell RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=106103	Trust: 0.6

sources: JVNDB: JVNDB-2019-013710 // CNNVD: CNNVD-201912-881

EXTERNAL IDS

db:	NVD	id:	CVE-2019-18571	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-013710	Trust: 0.8
db:	CNNVD	id:	CNNVD-201912-881	Trust: 0.7
db:	CNVD	id:	CNVD-2020-03161	Trust: 0.1
db:	VULHUB	id:	VHN-150931	Trust: 0.1

sources: VULHUB: VHN-150931 // JVNDB: JVNDB-2019-013710 // CNNVD: CNNVD-201912-881 // NVD: CVE-2019-18571

REFERENCES

url:	https://community.rsa.com/docs/doc-109310	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-18571	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18571	Trust: 0.8
url:	https://www.dell.com/support/security/en-us/details/doc-109310/dsa-2019-164-rsa-identity-governance-and-lifecycle-product-security-update-for-multiple-vulnerabi	Trust: 0.6

sources: VULHUB: VHN-150931 // JVNDB: JVNDB-2019-013710 // CNNVD: CNNVD-201912-881 // NVD: CVE-2019-18571

SOURCES

db:	VULHUB	id:	VHN-150931
db:	JVNDB	id:	JVNDB-2019-013710
db:	CNNVD	id:	CNNVD-201912-881
db:	NVD	id:	CVE-2019-18571

LAST UPDATE DATE

2024-11-23T22:29:49.351000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-150931	date:	2020-08-31T00:00:00
db:	JVNDB	id:	JVNDB-2019-013710	date:	2020-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201912-881	date:	2020-09-02T00:00:00
db:	NVD	id:	CVE-2019-18571	date:	2024-11-21T04:33:19.187

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-150931	date:	2019-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-013710	date:	2020-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201912-881	date:	2019-12-18T00:00:00
db:	NVD	id:	CVE-2019-18571	date:	2019-12-18T21:15:12.833