Vulnerability Details : CVE-2019-1000024
OPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cross Site Scripting (XSS) vulnerability in /js/libs/jstree/demo/filebrowser/index.php page. The "id" and "operation" GET parameters can be used to inject arbitrary JavaScript which is returned in the page's response that can result in Cross-site scripting.This attack appear to be exploitable via network connectivity.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-1000024
- cpe:2.3:a:opt-net:ng-netms:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1000024
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1000024
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-1000024
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-1000024
-
https://sourceforge.net/projects/ngnms/
OPTOSS NG-NetMS download | SourceForge.netProduct;Third Party Advisory
-
https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-(XSS)-in-OPTOSS-Next-Gen-Network-Management-System-(NG-NetMS).html
Cross-site scripting (XSS) in OPTOSS Next Gen Network Management System (NG-NetMS) - Information securityExploit;Third Party Advisory
-
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Cross-site Scripting (XSS) - OWASPThird Party Advisory
Jump to