Details of VAR-202009-0570

ID

VAR-202009-0570

CVE

CVE-2020-15788

TITLE

Siemens Polarion Subversion Webclient cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-51247 // CNNVD: CNNVD-202009-493

DESCRIPTION

A vulnerability has been identified in Polarion Subversion Webclient (All versions). The Polarion subversion web application does not filter user input in a way that prevents Cross-Site Scripting. If a user is enticed into passing specially crafted, malicious input to the web client (e.g. by clicking on a malicious URL with embedded JavaScript), then JavaScript code can be returned and may then be executed by the user’s client. Various actions could be triggered by running malicious JavaScript code. It is an SVN client that enables Subversion users to use a web browser to process SVN repositories

Trust: 2.16

sources: NVD: CVE-2020-15788 // JVNDB: JVNDB-2020-010872 // CNVD: CNVD-2020-51247

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-51247

AFFECTED PRODUCTS

vendor:	siemens	model:	polarion subversion webclient	scope:	eq	version:	*	Trust: 1.0
vendor:	シーメンス	model:	polarion subversion webclient	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	polarion subversion webclient	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-51247 // JVNDB: JVNDB-2020-010872 // NVD: CVE-2020-15788

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-15788
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-15788
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-51247
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202009-493
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-15788
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-51247
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-15788
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2020-15788
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-51247 // JVNDB: JVNDB-2020-010872 // CNNVD: CNNVD-202009-493 // NVD: CVE-2020-15788

PROBLEMTYPE DATA

problemtype:	CWE-80	Trust: 1.0
problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-010872 // NVD: CVE-2020-15788

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-493

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202009-493

PATCH

title:	SSA-436520	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf	Trust: 0.8
title:	Patch for Siemens Polarion Subversion Webclient cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/233329	Trust: 0.6
title:	SAP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=127914	Trust: 0.6

sources: CNVD: CNVD-2020-51247 // JVNDB: JVNDB-2020-010872 // CNNVD: CNNVD-202009-493

EXTERNAL IDS

db:	NVD	id:	CVE-2020-15788	Trust: 3.8
db:	SIEMENS	id:	SSA-436520	Trust: 2.2
db:	ICS CERT	id:	ICSA-20-252-08	Trust: 1.4
db:	JVN	id:	JVNVU94568336	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-010872	Trust: 0.8
db:	CNVD	id:	CNVD-2020-51247	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3079	Trust: 0.6
db:	NSFOCUS	id:	50584	Trust: 0.6
db:	CNNVD	id:	CNNVD-202009-493	Trust: 0.6

sources: CNVD: CNVD-2020-51247 // JVNDB: JVNDB-2020-010872 // CNNVD: CNNVD-202009-493 // NVD: CVE-2020-15788

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-436520.pdf	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15788	Trust: 1.4
url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-252-08	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94568336/index.html	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/50584	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3079/	Trust: 0.6

sources: CNVD: CNVD-2020-51247 // JVNDB: JVNDB-2020-010872 // CNNVD: CNNVD-202009-493 // NVD: CVE-2020-15788

SOURCES

db:	CNVD	id:	CNVD-2020-51247
db:	JVNDB	id:	JVNDB-2020-010872
db:	CNNVD	id:	CNNVD-202009-493
db:	NVD	id:	CVE-2020-15788

LAST UPDATE DATE

2024-11-23T19:43:01.094000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-51247	date:	2020-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-010872	date:	2022-03-11T06:04:00
db:	CNNVD	id:	CNNVD-202009-493	date:	2021-08-16T00:00:00
db:	NVD	id:	CVE-2020-15788	date:	2024-11-21T05:06:10.930

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-51247	date:	2020-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-010872	date:	2021-02-12T00:00:00
db:	CNNVD	id:	CNNVD-202009-493	date:	2020-09-08T00:00:00
db:	NVD	id:	CVE-2020-15788	date:	2020-09-09T19:15:20.163