Details of VAR-202008-1169

ID

VAR-202008-1169

CVE

CVE-2020-9036

TITLE

Jeedom cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-47591 // CNNVD: CNNVD-202008-185

DESCRIPTION

Jeedom through 4.0.38 allows XSS. Jeedom Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Jeedom is an open source home automation solution for the Internet of Things. The vulnerability stems from the lack of correct verification of client data in the WEB application. An attacker can use this vulnerability to execute client code

Trust: 2.79

sources: NVD: CVE-2020-9036 // JVNDB: JVNDB-2020-009063 // CNVD: CNVD-2020-47591 // CNNVD: CNNVD-202008-185 // VULMON: CVE-2020-9036

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-47591

AFFECTED PRODUCTS

vendor:	jeedom	model:	jeedom	scope:	lte	version:	4.0.38	Trust: 1.0
vendor:	jeedom	model:	jeedom	scope:	eq	version:	4.0.38	Trust: 0.8
vendor:	jeedom	model:	jeedom	scope:	lte	version:	<=4.0.38	Trust: 0.6

sources: CNVD: CNVD-2020-47591 // JVNDB: JVNDB-2020-009063 // NVD: CVE-2020-9036

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-9036
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-009063
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-47591
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202008-185
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-9036
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-9036
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2020-009063
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-47591
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-9036
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-009063
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-47591 // VULMON: CVE-2020-9036 // JVNDB: JVNDB-2020-009063 // CNNVD: CNNVD-202008-185 // NVD: CVE-2020-9036

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-009063 // NVD: CVE-2020-9036

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-185

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202008-185

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-009063

PATCH

title:	Top Page	url:	https://www.jeedom.com/fr/	Trust: 0.8
title:	Patch for Jeedom cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/231445	Trust: 0.6
title:	Jeedom Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=125867	Trust: 0.6
title:	CVE-Flow	url:	https://github.com/404notf0und/CVE-Flow	Trust: 0.1

sources: CNVD: CNVD-2020-47591 // VULMON: CVE-2020-9036 // JVNDB: JVNDB-2020-009063 // CNNVD: CNNVD-202008-185

EXTERNAL IDS

db:	NVD	id:	CVE-2020-9036	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-009063	Trust: 0.8
db:	CNVD	id:	CNVD-2020-47591	Trust: 0.6
db:	CNNVD	id:	CNNVD-202008-185	Trust: 0.6
db:	VULMON	id:	CVE-2020-9036	Trust: 0.1

sources: CNVD: CNVD-2020-47591 // VULMON: CVE-2020-9036 // JVNDB: JVNDB-2020-009063 // CNNVD: CNNVD-202008-185 // NVD: CVE-2020-9036

REFERENCES

url:	https://sysdream.com/news/lab/2020-08-05-cve-2020-9036-jeedom-xss-leading-to-remote-code-execution/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9036	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9036	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/404notf0und/cve-flow	Trust: 0.1

sources: CNVD: CNVD-2020-47591 // VULMON: CVE-2020-9036 // JVNDB: JVNDB-2020-009063 // CNNVD: CNNVD-202008-185 // NVD: CVE-2020-9036

SOURCES

db:	CNVD	id:	CNVD-2020-47591
db:	VULMON	id:	CVE-2020-9036
db:	JVNDB	id:	JVNDB-2020-009063
db:	CNNVD	id:	CNNVD-202008-185
db:	NVD	id:	CVE-2020-9036

LAST UPDATE DATE

2024-11-23T22:47:52.790000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-47591	date:	2020-08-22T00:00:00
db:	VULMON	id:	CVE-2020-9036	date:	2020-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-009063	date:	2020-10-16T00:00:00
db:	CNNVD	id:	CNNVD-202008-185	date:	2020-08-10T00:00:00
db:	NVD	id:	CVE-2020-9036	date:	2024-11-21T05:39:52.517

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-47591	date:	2020-08-22T00:00:00
db:	VULMON	id:	CVE-2020-9036	date:	2020-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-009063	date:	2020-10-16T00:00:00
db:	CNNVD	id:	CNNVD-202008-185	date:	2020-08-05T00:00:00
db:	NVD	id:	CVE-2020-9036	date:	2020-08-05T22:15:12.403