Sign-up

ID

VAR-202210-1908


CVE

CVE-2022-40190


TITLE

SAUTER  Made  moduWeb  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-002631

DESCRIPTION

SAUTER Controls moduWeb firmware version 2.7.1 is vulnerable to reflective cross-site scripting (XSS). The web application does not adequately sanitize request strings of malicious JavaScript. An attacker utilizing XSS could then execute malicious code in users’ browsers and steal sensitive information, including user credentials. SAUTER Provided by the company moduWeb is the central monitoring device of the company's building automation system ( B-OWS : BACnet Operator Workstation )is. moduWeb contains the following vulnerabilities: * Reflected cross-site scripting (CWE-79) - CVE-2022-40190Successful exploitation of this vulnerability could result in the following effects from a remote third party: * An arbitrary script is executed on the web browser of the user who accessed the monitoring screen of the product, and sensitive information including user authentication information is stolen

Trust: 1.71

sources: NVD: CVE-2022-40190 // JVNDB: JVNDB-2022-002631 // VULHUB: VHN-435995

AFFECTED PRODUCTS

vendor:sauter controlsmodel:moduwebscope:eqversion:2.7.1

Trust: 1.0

vendor:fr sautermodel:moduwebscope:eqversion:moduweb firmware 2.7.1

Trust: 0.8

vendor:fr sautermodel:moduwebscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-002631 // NVD: CVE-2022-40190

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-40190
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-40190
value: HIGH

Trust: 1.0

OTHER: JVNDB-2022-002631
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202210-2419
value: CRITICAL

Trust: 0.6

NVD:
baseSeverity: CRITICAL
baseScore: 9.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 6.0
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2022-002631
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-002631 // NVD: CVE-2022-40190 // NVD: CVE-2022-40190 // CNNVD: CNNVD-202210-2419

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [ others ]

Trust: 0.8

sources: VULHUB: VHN-435995 // JVNDB: JVNDB-2022-002631 // NVD: CVE-2022-40190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-2419

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202210-2419

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-40190

PATCH
title:Welcome to SAUTERurl:https://www.sauter-controls.com/en/
Trust: 0.8
title:SAUTER Controls moduWeb Fixes for cross-site scripting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=212872
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2022-002631 // 
            
            
            
            CNNVD: CNNVD-202210-2419

EXTERNAL IDS
db:ICS CERTid:ICSA-22-300-02
Trust: 2.5
db:NVDid:CVE-2022-40190
Trust: 2.5
db:JVNid:JVNVU90122134
Trust: 0.8
db:JVNDBid:JVNDB-2022-002631
Trust: 0.8
db:AUSCERTid:ESB-2022.5425
Trust: 0.6
db:CNNVDid:CNNVD-202210-2419
Trust: 0.6
db:VULHUBid:VHN-435995
Trust: 0.1
sources:
            
            
            VULHUB: VHN-435995 // 
            
            
            
            JVNDB: JVNDB-2022-002631 // 
            
            
            
            NVD: CVE-2022-40190 // 
            
            
            
            CNNVD: CNNVD-202210-2419

REFERENCES
url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-300-02
Trust: 2.5
url:https://jvn.jp/vu/jvnvu90122134
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2022.5425
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-40190/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-435995 // 
            
            
            
            JVNDB: JVNDB-2022-002631 // 
            
            
            
            NVD: CVE-2022-40190 // 
            
            
            
            CNNVD: CNNVD-202210-2419

SOURCES
db:VULHUBid:VHN-435995
db:JVNDBid:JVNDB-2022-002631
db:NVDid:CVE-2022-40190
db:CNNVDid:CNNVD-202210-2419

LAST UPDATE DATE
2023-12-18T12:48:25.182000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-435995date:2022-11-02T00:00:00
db:JVNDBid:JVNDB-2022-002631date:2022-10-31T06:47:00
db:NVDid:CVE-2022-40190date:2022-11-02T14:13:10.390
db:CNNVDid:CNNVD-202210-2419date:2022-11-03T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-435995date:2022-10-31T00:00:00
db:JVNDBid:JVNDB-2022-002631date:2022-10-31T00:00:00
db:NVDid:CVE-2022-40190date:2022-10-31T21:15:12.660
db:CNNVDid:CNNVD-202210-2419date:2022-10-28T00:00:00