Search criteria
6 vulnerabilities found for remedy_smart_reporting by bmc
FKIE_CVE-2019-11216
Vulnerability from fkie_nvd - Published: 2019-12-04 20:15 - Updated: 2024-11-21 04:20
Severity ?
Summary
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2019/Dec/7 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2019/Dec/7 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bmc | remedy_smart_reporting | * | |
| bmc | remedy_smart_reporting | * | |
| bmc | remedy_smart_reporting | * | |
| bmc | remedy_smart_reporting | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bmc:remedy_smart_reporting:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D85A2DEC-E5E5-4B85-8781-F62C4F8D26AC",
"versionEndIncluding": "9.1.03.001",
"versionStartIncluding": "9.1.03",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bmc:remedy_smart_reporting:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F840DBE-5004-4F35-AD7C-45F0862C5EE0",
"versionEndIncluding": "9.1.04.002",
"versionStartIncluding": "9.1.04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bmc:remedy_smart_reporting:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F669CF97-A771-4901-A244-C15A474696AA",
"versionEndIncluding": "18.05.05",
"versionStartIncluding": "18.05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bmc:remedy_smart_reporting:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75287100-EB00-41F0-9322-F7545B0FCADB",
"versionEndIncluding": "19.02.01",
"versionStartIncluding": "19.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed."
},
{
"lang": "es",
"value": "BMC Smart Reporting versi\u00f3n 7.3 20180418, permite un ataque de tipo XXE autenticado dentro de la funcionalidad import. Se puede importar un archivo XML malicioso y realizar ataques de tipo XXE para desencadenar archivos locales del servidor, o hacer ataques de tipo DoS con ataques de expansi\u00f3n XML. XXE con respuesta directa y XXE OOB est\u00e1n permitidos."
}
],
"id": "CVE-2019-11216",
"lastModified": "2024-11-21T04:20:44.670",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-04T20:15:12.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
},
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-1010147
Vulnerability from fkie_nvd - Published: 2019-07-26 00:15 - Updated: 2024-11-21 04:17
Severity ?
Summary
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.
References
| URL | Tags | ||
|---|---|---|---|
| josh@bress.net | https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bmc | remedy_smart_reporting | - | |
| yellowfinbi | yellowfin_bi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bmc:remedy_smart_reporting:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F3B099D6-62C3-4877-9B13-FF948200EC37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:yellowfinbi:yellowfin_bi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B8D0086-5FCB-4035-BA80-9BFFBBD5CA40",
"versionEndExcluding": "7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker\u0027s control; the XSS vulnerability on the target domain is silently exploited without the victim\u0027s knowledge. The fixed version is: 7.4 and later."
},
{
"lang": "es",
"value": "Yellowfin Smart Reporting Todas las Versiones Anteriores a 7.3 est\u00e1n afectadas por: Control de Acceso Incorrecto - Escalamiento de Privilegios. El impacto es: V\u00edctima atacada y acceso a la funcionalidad de administraci\u00f3n por medio de su navegador y el navegador de control. El componente es: archivo MIAdminStyles.i4. El vector de ataque es: Las v\u00edctimas normalmente son atra\u00eddas a un sitio web bajo el control del atacante; la vulnerabilidad de tipo XSS en el dominio apuntado se explota silenciosamente sin el conocimiento de la v\u00edctima. La versi\u00f3n corregida es: 7.4 y posteriores."
}
],
"id": "CVE-2019-1010147",
"lastModified": "2024-11-21T04:17:59.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-26T00:15:11.073",
"references": [
{
"source": "josh@bress.net",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
}
],
"sourceIdentifier": "josh@bress.net",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-11216 (GCVE-0-2019-11216)
Vulnerability from cvelistv5 – Published: 2019-12-04 19:31 – Updated: 2024-08-04 22:48
VLAI?
Summary
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.002Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-05T00:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11216",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html",
"refsource": "MISC",
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
},
{
"name": "http://seclists.org/fulldisclosure/2019/Dec/7",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"name": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11216",
"datePublished": "2019-12-04T19:31:55",
"dateReserved": "2019-04-12T00:00:00",
"dateUpdated": "2024-08-04T22:48:09.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1010147 (GCVE-0-2019-1010147)
Vulnerability from cvelistv5 – Published: 2019-07-25 23:02 – Updated: 2024-08-05 03:07
VLAI?
Summary
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.
Severity ?
No CVSS data available.
CWE
- Incorrect Access Control - Privileges Escalation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Yellowfin | Smart Reporting |
Affected:
< 7.3 [fixed: 7.4 and later]
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:07:18.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Reporting",
"vendor": "Yellowfin",
"versions": [
{
"status": "affected",
"version": "\u003c 7.3 [fixed: 7.4 and later]"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker\u0027s control; the XSS vulnerability on the target domain is silently exploited without the victim\u0027s knowledge. The fixed version is: 7.4 and later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control - Privileges Escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-25T23:02:40",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1010147",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Reporting",
"version": {
"version_data": [
{
"version_value": "\u003c 7.3 [fixed: 7.4 and later]"
}
]
}
}
]
},
"vendor_name": "Yellowfin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker\u0027s control; the XSS vulnerability on the target domain is silently exploited without the victim\u0027s knowledge. The fixed version is: 7.4 and later."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control - Privileges Escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS",
"refsource": "MISC",
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1010147",
"datePublished": "2019-07-25T23:02:40",
"dateReserved": "2019-03-20T00:00:00",
"dateUpdated": "2024-08-05T03:07:18.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11216 (GCVE-0-2019-11216)
Vulnerability from nvd – Published: 2019-12-04 19:31 – Updated: 2024-08-04 22:48
VLAI?
Summary
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.002Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-05T00:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11216",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. XXE with direct response and XXE OOB are allowed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html",
"refsource": "MISC",
"url": "https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html"
},
{
"name": "http://seclists.org/fulldisclosure/2019/Dec/7",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2019/Dec/7"
},
{
"name": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/155552/BMC-Smart-Reporting-7.3-20180418-XML-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11216",
"datePublished": "2019-12-04T19:31:55",
"dateReserved": "2019-04-12T00:00:00",
"dateUpdated": "2024-08-04T22:48:09.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1010147 (GCVE-0-2019-1010147)
Vulnerability from nvd – Published: 2019-07-25 23:02 – Updated: 2024-08-05 03:07
VLAI?
Summary
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.
Severity ?
No CVSS data available.
CWE
- Incorrect Access Control - Privileges Escalation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Yellowfin | Smart Reporting |
Affected:
< 7.3 [fixed: 7.4 and later]
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:07:18.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Reporting",
"vendor": "Yellowfin",
"versions": [
{
"status": "affected",
"version": "\u003c 7.3 [fixed: 7.4 and later]"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker\u0027s control; the XSS vulnerability on the target domain is silently exploited without the victim\u0027s knowledge. The fixed version is: 7.4 and later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control - Privileges Escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-25T23:02:40",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1010147",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Reporting",
"version": {
"version_data": [
{
"version_value": "\u003c 7.3 [fixed: 7.4 and later]"
}
]
}
}
]
},
"vendor_name": "Yellowfin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker\u0027s control; the XSS vulnerability on the target domain is silently exploited without the victim\u0027s knowledge. The fixed version is: 7.4 and later."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control - Privileges Escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS",
"refsource": "MISC",
"url": "https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1010147",
"datePublished": "2019-07-25T23:02:40",
"dateReserved": "2019-03-20T00:00:00",
"dateUpdated": "2024-08-05T03:07:18.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}