CVE-2019-1000024 - Vulnerability Details - OpenCVE

OPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cross Site Scripting (XSS) vulnerability in /js/libs/jstree/demo/filebrowser/index.php page. The "id" and "operation" GET parameters can be used to inject arbitrary JavaScript which is returned in the page's response that can result in Cross-site scripting.This attack appear to be exploitable via network connectivity.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opt-net	Ng-netms

Configuration 1 [-]

cpe:2.3:a:opt-net:ng-netms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-%28XSS%29-in-OPTOSS-Next-Gen-Network-Management-System-%28NG-NetMS%29.html
https://sourceforge.net/projects/ngnms/
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-02-04T21:00:00

Updated: 2024-08-05T03:00:19.318Z

Reserved: 2019-01-20T00:00:00

Link: CVE-2019-1000024

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-02-04T21:29:01.677

Modified: 2024-11-21T04:17:42.263

Link: CVE-2019-1000024

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2019-01-22T00:00:00", "datePublic": "2019-02-04T00:00:00", "descriptions": [{"lang": "en", "value": "OPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cross Site Scripting (XSS) vulnerability in /js/libs/jstree/demo/filebrowser/index.php page. The \"id\" and \"operation\" GET parameters can be used to inject arbitrary JavaScript which is returned in the page's response that can result in Cross-site scripting.This attack appear to be exploitable via network connectivity."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-02-04T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29"}, {"tags": ["x_refsource_MISC"], "url": "https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-%28XSS%29-in-OPTOSS-Next-Gen-Network-Management-System-%28NG-NetMS%29.html"}, {"tags": ["x_refsource_MISC"], "url": "https://sourceforge.net/projects/ngnms/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2019-01-22T21:21:10.031068", "DATE_REQUESTED": "2019-01-20T14:10:58", "ID": "CVE-2019-1000024", "REQUESTER": "piotr.karolak@gmail.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cross Site Scripting (XSS) vulnerability in /js/libs/jstree/demo/filebrowser/index.php page. The \"id\" and \"operation\" GET parameters can be used to inject arbitrary JavaScript which is returned in the page's response that can result in Cross-site scripting.This attack appear to be exploitable via network connectivity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)", "refsource": "MISC", "url": "https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)"}, {"name": "https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-(XSS)-in-OPTOSS-Next-Gen-Network-Management-System-(NG-NetMS).html", "refsource": "MISC", "url": "https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-(XSS)-in-OPTOSS-Next-Gen-Network-Management-System-(NG-NetMS).html"}, {"name": "https://sourceforge.net/projects/ngnms/", "refsource": "MISC", "url": "https://sourceforge.net/projects/ngnms/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:19.318Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-%28XSS%29-in-OPTOSS-Next-Gen-Network-Management-System-%28NG-NetMS%29.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sourceforge.net/projects/ngnms/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-1000024", "datePublished": "2019-02-04T21:00:00", "dateReserved": "2019-01-20T00:00:00", "dateUpdated": "2024-08-05T03:00:19.318Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opt-net:ng-netms:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFEAEB1C-7111-4663-A973-1F1BB505668D", "versionEndIncluding": "3.6-2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cross Site Scripting (XSS) vulnerability in /js/libs/jstree/demo/filebrowser/index.php page. The \"id\" and \"operation\" GET parameters can be used to inject arbitrary JavaScript which is returned in the page's response that can result in Cross-site scripting.This attack appear to be exploitable via network connectivity."}, {"lang": "es", "value": "OPT/NET BV NG-NetMS, en versiones v3.6-2 y anteriores, contiene una vulnerabilidad Cross-Site Scripting (XSS) en la p\u00e1gina /js/libs/jstree/demo/filebrowser/index.php. Los par\u00e1metros GET \"id\" y \"operation\" pueden emplearse para inyectar JavaScript arbitrario, que se devuelve en la respuesta de la p\u00e1gina. Esto puede resultar en Cross-Site Scripting (XSS). Este ataque parece ser explotable mediante conectividad de red."}], "id": "CVE-2019-1000024", "lastModified": "2024-11-21T04:17:42.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-04T21:29:01.677", "references": [{"source": "cve@mitre.org", "url": "https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-%28XSS%29-in-OPTOSS-Next-Gen-Network-Management-System-%28NG-NetMS%29.html"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://sourceforge.net/projects/ngnms/"}, {"source": "cve@mitre.org", "url": "https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-%28XSS%29-in-OPTOSS-Next-Gen-Network-Management-System-%28NG-NetMS%29.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://sourceforge.net/projects/ngnms/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}