CVE-2019-1882 : A vulnerability in Cisco Industrial Network Director could allow an authenticate

A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks. The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the affected system. A successful exploit could allow the attacker to conduct XSS attacks.

Published 2019-06-05 17:29:01

Updated 2019-10-09 23:48:26

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2019-1882

Cisco » Industrial Network Director » Version: 1.5(0.250)
cpe:2.3:a:cisco:industrial_network_director:1.5\(0.250\):*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-1882

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 36 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-1882

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	Cisco Systems, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2019-1882

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)

References for CVE-2019-1882

http://www.securityfocus.com/bid/108629

Cisco Industrial Network Director CVE-2019-1882 Cross Site Scripting Vulnerability
Third Party Advisory;VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-xss

Cisco Industrial Network Director Stored Cross-Site Scripting Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-1882

Products affected by CVE-2019-1882

Exploit prediction scoring system (EPSS) score for CVE-2019-1882

CVSS scores for CVE-2019-1882

CWE ids for CVE-2019-1882

References for CVE-2019-1882