Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-19284 (GCVE-0-2019-19284)
Vulnerability from cvelistv5 – Published: 2020-12-14 21:05 – Updated: 2024-08-05 02:09
VLAI
EPSS
Summary
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:09:39.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "XHQ",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All Versions \u003c 6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-14T21:05:17.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-19284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "XHQ",
"version": {
"version_data": [
{
"version_value": "All Versions \u003c 6.1"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2019-19284",
"datePublished": "2020-12-14T21:05:17.000Z",
"dateReserved": "2019-11-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:09:39.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2019-19284",
"date": "2026-05-27",
"epss": "0.00343",
"percentile": "0.5702"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:xhq:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.1.0.0\", \"matchCriteriaId\": \"3C901A67-8AB4-4DD0-A32E-B9B0CB372A23\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.\"}, {\"lang\": \"es\", \"value\": \"Se ha identificado una vulnerabilidad en XHQ (todas las versiones anteriores a 6.1).\u0026#xa0;La interfaz web podr\\u00eda permitir ataques de tipo Cross-Site Scripting (XSS) si un atacante es capaz de modificar el contenido de determinadas p\\u00e1ginas web, causando que la aplicaci\\u00f3n se comporte de manera inesperadas para los usuarios leg\\u00edtimos\"}]",
"id": "CVE-2019-19284",
"lastModified": "2024-11-21T04:34:29.743",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-12-14T21:15:16.707",
"references": "[{\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf\", \"source\": \"productcert@siemens.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"productcert@siemens.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-19284\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2020-12-14T21:15:16.707\",\"lastModified\":\"2024-11-21T04:34:29.743\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad en XHQ (todas las versiones anteriores a 6.1).\u0026#xa0;La interfaz web podr\u00eda permitir ataques de tipo Cross-Site Scripting (XSS) si un atacante es capaz de modificar el contenido de determinadas p\u00e1ginas web, causando que la aplicaci\u00f3n se comporte de manera inesperadas para los usuarios leg\u00edtimos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:xhq:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.1.0.0\",\"matchCriteriaId\":\"3C901A67-8AB4-4DD0-A32E-B9B0CB372A23\"}]}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
CERTFR-2020-AVI-800
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | XHQ versions antérieures à 6.1 | ||
| Siemens | N/A | SIMATIC ITC1900 V3.1 PRO toutes versions | ||
| Siemens | N/A | SIMATIC ITC2200 V3.1 PRO toutes versions | ||
| Siemens | N/A | LOGO! 8 BM (incl. SIPLUS variants) versions antérieures à 8.3 | ||
| Siemens | N/A | SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions antérieures à 5.2.3 | ||
| Siemens | N/A | SIMATIC HMI Comfort Panels 4" - 22"(incl. SIPLUS variants) versions antérieures à la 16 sans le correctif numéro 3 | ||
| Siemens | N/A | SCALANCE X-300 switch family (incl. SIPLUSNET variants) versions antérieures à 4.1.3 | ||
| Siemens | N/A | RUGGEDCOM Win versions antérieures à 5.2 | ||
| Siemens | N/A | SENTRON PAC3200 versions antérieures à 2.4.5 | ||
| Siemens | N/A | SIMATIC ITC2200 V3.1 toutes versions | ||
| Siemens | N/A | SIMATIC S7-1500 Software Controller versions 20.8 | ||
| Siemens | N/A | SICAM A8000 CP-8000 versions antérieures à 16 | ||
| Siemens | N/A | SCALANCE X408 versions antérieures à V4.1.3 | ||
| Siemens | N/A | LOGO! Soft Comfort versions antérieures à 8.3 | ||
| Siemens | N/A | SIMATIC ITC1500 V3.1 toutes versions | ||
| Siemens | N/A | SICAM A8000 CP-8021 versions antérieures à 16 | ||
| Siemens | N/A | SCALANCE X414 toutes versions | ||
| Siemens | N/A | SICAM A8000 CP-8022 versions antérieures à 16 | ||
| Siemens | N/A | SENTRON PAC4200 versions antérieures à 2.0.1 | ||
| Siemens | N/A | SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions antérieures à 5.4.1 | ||
| Siemens | N/A | SIRIUS 3RW5 communication module ModbusTCP toutes versions | ||
| Siemens | N/A | SIMATIC ITC1900 V3.1 toutes versions | ||
| Siemens | N/A | SCALANCE X-200RNA switch family versions antérieures à 3.2.6 | ||
| Siemens | N/A | RFID 181EIP toutes versions | ||
| Siemens | N/A | SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 and KTP900F versions antérieures à la 16 sans le correctif numéro 3 | ||
| Siemens | N/A | SIMATIC ET 200SP Open Controller(incl. SIPLUS variants) version 20.8 | ||
| Siemens | N/A | SIMATIC HMI Comfort Outdoor Panels 7" & 15"(incl. SIPLUS variants) versions antérieures à la 16 sans le correctif numéro 3 | ||
| Siemens | N/A | SIMATIC ITC1500 V3.1 PRO toutes versions | ||
| Siemens | N/A | SIMATIC RF182C toutes versions |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "XHQ versions ant\u00e9rieures \u00e0 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1900 V3.1 PRO toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC2200 V3.1 PRO toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "LOGO! 8 BM (incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 8.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.2.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Panels 4\" - 22\"(incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-300 switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 4.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RUGGEDCOM Win versions ant\u00e9rieures \u00e0 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SENTRON PAC3200 versions ant\u00e9rieures \u00e0 2.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC2200 V3.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 Software Controller versions 20.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM A8000 CP-8000 versions ant\u00e9rieures \u00e0 16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X408 versions ant\u00e9rieures \u00e0 V4.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "LOGO! Soft Comfort versions ant\u00e9rieures \u00e0 8.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1500 V3.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM A8000 CP-8021 versions ant\u00e9rieures \u00e0 16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X414 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM A8000 CP-8022 versions ant\u00e9rieures \u00e0 16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SENTRON PAC4200 versions ant\u00e9rieures \u00e0 2.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIRIUS 3RW5 communication module ModbusTCP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1900 V3.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200RNA switch family versions ant\u00e9rieures \u00e0 3.2.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RFID 181EIP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 and KTP900F versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200SP Open Controller(incl. SIPLUS variants) version 20.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Outdoor Panels 7\" \u0026 15\"(incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1500 V3.1 PRO toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF182C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-8287",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8287"
},
{
"name": "CVE-2020-25231",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25231"
},
{
"name": "CVE-2020-13988",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13988"
},
{
"name": "CVE-2020-25230",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25230"
},
{
"name": "CVE-2020-28396",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28396"
},
{
"name": "CVE-2020-15796",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15796"
},
{
"name": "CVE-2019-15680",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-15680"
},
{
"name": "CVE-2020-25235",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25235"
},
{
"name": "CVE-2018-4833",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4833"
},
{
"name": "CVE-2019-19289",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19289"
},
{
"name": "CVE-2019-19287",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19287"
},
{
"name": "CVE-2019-19283",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19283"
},
{
"name": "CVE-2020-25228",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25228"
},
{
"name": "CVE-2019-19286",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19286"
},
{
"name": "CVE-2019-15679",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-15679"
},
{
"name": "CVE-2019-19285",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19285"
},
{
"name": "CVE-2020-25232",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25232"
},
{
"name": "CVE-2019-19288",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19288"
},
{
"name": "CVE-2019-19284",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19284"
},
{
"name": "CVE-2020-25233",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25233"
},
{
"name": "CVE-2020-25234",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25234"
},
{
"name": "CVE-2020-25229",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25229"
},
{
"name": "CVE-2019-15678",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-15678"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-800",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-12-08T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-478893 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-700697 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-700697.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-541017 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-541017.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-480824 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480824.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-712690 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-181018 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-181018.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-415783 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-415783.pdf"
}
]
}
CERTFR-2020-AVI-800
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | N/A | XHQ versions antérieures à 6.1 | ||
| Siemens | N/A | SIMATIC ITC1900 V3.1 PRO toutes versions | ||
| Siemens | N/A | SIMATIC ITC2200 V3.1 PRO toutes versions | ||
| Siemens | N/A | LOGO! 8 BM (incl. SIPLUS variants) versions antérieures à 8.3 | ||
| Siemens | N/A | SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions antérieures à 5.2.3 | ||
| Siemens | N/A | SIMATIC HMI Comfort Panels 4" - 22"(incl. SIPLUS variants) versions antérieures à la 16 sans le correctif numéro 3 | ||
| Siemens | N/A | SCALANCE X-300 switch family (incl. SIPLUSNET variants) versions antérieures à 4.1.3 | ||
| Siemens | N/A | RUGGEDCOM Win versions antérieures à 5.2 | ||
| Siemens | N/A | SENTRON PAC3200 versions antérieures à 2.4.5 | ||
| Siemens | N/A | SIMATIC ITC2200 V3.1 toutes versions | ||
| Siemens | N/A | SIMATIC S7-1500 Software Controller versions 20.8 | ||
| Siemens | N/A | SICAM A8000 CP-8000 versions antérieures à 16 | ||
| Siemens | N/A | SCALANCE X408 versions antérieures à V4.1.3 | ||
| Siemens | N/A | LOGO! Soft Comfort versions antérieures à 8.3 | ||
| Siemens | N/A | SIMATIC ITC1500 V3.1 toutes versions | ||
| Siemens | N/A | SICAM A8000 CP-8021 versions antérieures à 16 | ||
| Siemens | N/A | SCALANCE X414 toutes versions | ||
| Siemens | N/A | SICAM A8000 CP-8022 versions antérieures à 16 | ||
| Siemens | N/A | SENTRON PAC4200 versions antérieures à 2.0.1 | ||
| Siemens | N/A | SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions antérieures à 5.4.1 | ||
| Siemens | N/A | SIRIUS 3RW5 communication module ModbusTCP toutes versions | ||
| Siemens | N/A | SIMATIC ITC1900 V3.1 toutes versions | ||
| Siemens | N/A | SCALANCE X-200RNA switch family versions antérieures à 3.2.6 | ||
| Siemens | N/A | RFID 181EIP toutes versions | ||
| Siemens | N/A | SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 and KTP900F versions antérieures à la 16 sans le correctif numéro 3 | ||
| Siemens | N/A | SIMATIC ET 200SP Open Controller(incl. SIPLUS variants) version 20.8 | ||
| Siemens | N/A | SIMATIC HMI Comfort Outdoor Panels 7" & 15"(incl. SIPLUS variants) versions antérieures à la 16 sans le correctif numéro 3 | ||
| Siemens | N/A | SIMATIC ITC1500 V3.1 PRO toutes versions | ||
| Siemens | N/A | SIMATIC RF182C toutes versions |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "XHQ versions ant\u00e9rieures \u00e0 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1900 V3.1 PRO toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC2200 V3.1 PRO toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "LOGO! 8 BM (incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 8.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.2.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Panels 4\" - 22\"(incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-300 switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 4.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RUGGEDCOM Win versions ant\u00e9rieures \u00e0 5.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SENTRON PAC3200 versions ant\u00e9rieures \u00e0 2.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC2200 V3.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC S7-1500 Software Controller versions 20.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM A8000 CP-8000 versions ant\u00e9rieures \u00e0 16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X408 versions ant\u00e9rieures \u00e0 V4.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "LOGO! Soft Comfort versions ant\u00e9rieures \u00e0 8.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1500 V3.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM A8000 CP-8021 versions ant\u00e9rieures \u00e0 16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X414 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SICAM A8000 CP-8022 versions ant\u00e9rieures \u00e0 16",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SENTRON PAC4200 versions ant\u00e9rieures \u00e0 2.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIRIUS 3RW5 communication module ModbusTCP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1900 V3.1 toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE X-200RNA switch family versions ant\u00e9rieures \u00e0 3.2.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "RFID 181EIP toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 and KTP900F versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ET 200SP Open Controller(incl. SIPLUS variants) version 20.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC HMI Comfort Outdoor Panels 7\" \u0026 15\"(incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC ITC1500 V3.1 PRO toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SIMATIC RF182C toutes versions",
"product": {
"name": "N/A",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-8287",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8287"
},
{
"name": "CVE-2020-25231",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25231"
},
{
"name": "CVE-2020-13988",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13988"
},
{
"name": "CVE-2020-25230",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25230"
},
{
"name": "CVE-2020-28396",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28396"
},
{
"name": "CVE-2020-15796",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15796"
},
{
"name": "CVE-2019-15680",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-15680"
},
{
"name": "CVE-2020-25235",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25235"
},
{
"name": "CVE-2018-4833",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4833"
},
{
"name": "CVE-2019-19289",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19289"
},
{
"name": "CVE-2019-19287",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19287"
},
{
"name": "CVE-2019-19283",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19283"
},
{
"name": "CVE-2020-25228",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25228"
},
{
"name": "CVE-2019-19286",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19286"
},
{
"name": "CVE-2019-15679",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-15679"
},
{
"name": "CVE-2019-19285",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19285"
},
{
"name": "CVE-2020-25232",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25232"
},
{
"name": "CVE-2019-19288",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19288"
},
{
"name": "CVE-2019-19284",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19284"
},
{
"name": "CVE-2020-25233",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25233"
},
{
"name": "CVE-2020-25234",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25234"
},
{
"name": "CVE-2020-25229",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25229"
},
{
"name": "CVE-2019-15678",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-15678"
}
],
"links": [],
"reference": "CERTFR-2020-AVI-800",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-12-08T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-478893 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-700697 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-700697.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-541017 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-541017.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-480824 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480824.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-712690 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-181018 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-181018.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-415783 du 8 d\u00e9cembre 2020",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-415783.pdf"
}
]
}
CNVD-2020-70932
Vulnerability from cnvd - Published: 2020-12-12
VLAI
Title
Siemens XHQ跨站脚本漏洞
Description
Siemens XHQ是一种软件平台,它汇集了工厂或管道运营数据,并对这些数据进行面向目标的处理,然后实时地做出决策,并有效提升工厂或管道运营绩效。
Siemens XHQ 6.1之前版本存在跨站脚本漏洞。攻击者通过修改特定网页的内容利用该漏洞导致该应用程序对合法用户而言行为异常。
Severity
高
Patch Name
Siemens XHQ跨站脚本漏洞的补丁
Patch Description
Siemens XHQ是一种软件平台,它汇集了工厂或管道运营数据,并对这些数据进行面向目标的处理,然后实时地做出决策,并有效提升工厂或管道运营绩效。
Siemens XHQ 6.1之前版本存在跨站脚本漏洞。攻击者通过修改特定网页的内容利用该漏洞导致该应用程序对合法用户而言行为异常。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://us-cert.cisa.gov/ics/advisories/icsa-20-343-06
Reference
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-06
Impacted products
| Name | Siemens XHQ <6.1 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-19284",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-19284"
}
},
"description": "Siemens XHQ\u662f\u4e00\u79cd\u8f6f\u4ef6\u5e73\u53f0\uff0c\u5b83\u6c47\u96c6\u4e86\u5de5\u5382\u6216\u7ba1\u9053\u8fd0\u8425\u6570\u636e\uff0c\u5e76\u5bf9\u8fd9\u4e9b\u6570\u636e\u8fdb\u884c\u9762\u5411\u76ee\u6807\u7684\u5904\u7406\uff0c\u7136\u540e\u5b9e\u65f6\u5730\u505a\u51fa\u51b3\u7b56\uff0c\u5e76\u6709\u6548\u63d0\u5347\u5de5\u5382\u6216\u7ba1\u9053\u8fd0\u8425\u7ee9\u6548\u3002\n\nSiemens XHQ 6.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u901a\u8fc7\u4fee\u6539\u7279\u5b9a\u7f51\u9875\u7684\u5185\u5bb9\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8be5\u5e94\u7528\u7a0b\u5e8f\u5bf9\u5408\u6cd5\u7528\u6237\u800c\u8a00\u884c\u4e3a\u5f02\u5e38\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://us-cert.cisa.gov/ics/advisories/icsa-20-343-06",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-70932",
"openTime": "2020-12-12",
"patchDescription": "Siemens XHQ\u662f\u4e00\u79cd\u8f6f\u4ef6\u5e73\u53f0\uff0c\u5b83\u6c47\u96c6\u4e86\u5de5\u5382\u6216\u7ba1\u9053\u8fd0\u8425\u6570\u636e\uff0c\u5e76\u5bf9\u8fd9\u4e9b\u6570\u636e\u8fdb\u884c\u9762\u5411\u76ee\u6807\u7684\u5904\u7406\uff0c\u7136\u540e\u5b9e\u65f6\u5730\u505a\u51fa\u51b3\u7b56\uff0c\u5e76\u6709\u6548\u63d0\u5347\u5de5\u5382\u6216\u7ba1\u9053\u8fd0\u8425\u7ee9\u6548\u3002\r\n\r\nSiemens XHQ 6.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u901a\u8fc7\u4fee\u6539\u7279\u5b9a\u7f51\u9875\u7684\u5185\u5bb9\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8be5\u5e94\u7528\u7a0b\u5e8f\u5bf9\u5408\u6cd5\u7528\u6237\u800c\u8a00\u884c\u4e3a\u5f02\u5e38\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Siemens XHQ\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Siemens XHQ \u003c6.1"
},
"referenceLink": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-06",
"serverity": "\u9ad8",
"submitTime": "2020-12-09",
"title": "Siemens XHQ\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}
FKIE_CVE-2019-19284
Vulnerability from fkie_nvd - Published: 2020-12-14 21:15 - Updated: 2024-11-21 04:34
Severity
Summary
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:xhq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C901A67-8AB4-4DD0-A32E-B9B0CB372A23",
"versionEndExcluding": "6.1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en XHQ (todas las versiones anteriores a 6.1).\u0026#xa0;La interfaz web podr\u00eda permitir ataques de tipo Cross-Site Scripting (XSS) si un atacante es capaz de modificar el contenido de determinadas p\u00e1ginas web, causando que la aplicaci\u00f3n se comporte de manera inesperadas para los usuarios leg\u00edtimos"
}
],
"id": "CVE-2019-19284",
"lastModified": "2024-11-21T04:34:29.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-14T21:15:16.707",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
}
]
}
GHSA-QH5Q-FPQR-QWJ9
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.
{
"affected": [],
"aliases": [
"CVE-2019-19284"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T21:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.",
"id": "GHSA-qh5q-fpqr-qwj9",
"modified": "2022-05-24T17:36:14Z",
"published": "2022-05-24T17:36:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19284"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2019-19284
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-19284",
"description": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.",
"id": "GSD-2019-19284"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-19284"
],
"details": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.",
"id": "GSD-2019-19284",
"modified": "2023-12-13T01:23:53.727137Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-19284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "XHQ",
"version": {
"version_data": [
{
"version_value": "All Versions \u003c 6.1"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:xhq:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.1.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2019-19284"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2020-12-15T14:06Z",
"publishedDate": "2020-12-14T21:15Z"
}
}
}
ICSA-20-343-06
Vulnerability from csaf_cisa - Published: 2020-12-08 00:00 - Updated: 2020-12-08 00:00Summary
Siemens XHQ Operations Intelligence
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation: Successful exploitation of these vulnerabilities could allow an attacker to read sensitive information, modify web content, and perform cross-site scripting and cross-site request forgery on unsuspecting users.
Critical infrastructure sectors: Energy
Countries/areas deployed: Worldwide
Company headquarters location: Germany
Recommended Practices: CISA recommends users take the following measures to protect themselves from social engineering attacks:
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:
https://www.siemens.com/cert/advisories
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Exploitability: No known public exploits specifically target these vulnerabilities.
CWE-200
- Exposure of Sensitive Information to an Unauthorized Actor
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
XHQ: All Versions < 6.1
Siemens / XHQ
|
All Versions < 6.1 |
Vendor Fix
Mitigation
|
CWE-79
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
XHQ: All Versions < 6.1
Siemens / XHQ
|
All Versions < 6.1 |
Vendor Fix
Mitigation
|
CWE-80
- Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
XHQ: All Versions < 6.1
Siemens / XHQ
|
All Versions < 6.1 |
Vendor Fix
Mitigation
|
CWE-89
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
XHQ: All Versions < 6.1
Siemens / XHQ
|
All Versions < 6.1 |
Vendor Fix
Mitigation
|
CWE-23
- Relative Path Traversal
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
XHQ: All Versions < 6.1
Siemens / XHQ
|
All Versions < 6.1 |
Vendor Fix
Mitigation
|
CWE-79
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
XHQ: All Versions < 6.1
Siemens / XHQ
|
All Versions < 6.1 |
Vendor Fix
Mitigation
|
CWE-352
- Cross-Site Request Forgery (CSRF)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
XHQ: All Versions < 6.1
Siemens / XHQ
|
All Versions < 6.1 |
Vendor Fix
Mitigation
|
References
19 references
Acknowledgments
Siemens
{
"document": {
"acknowledgments": [
{
"organization": "Siemens",
"summary": "reporting these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could allow an attacker to read sensitive information, modify web content, and perform cross-site scripting and cross-site request forgery on unsuspecting users.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Energy",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take the following measures to protect themselves from social engineering attacks:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and \nsolutions, please contact the Siemens ProductCERT:\n\nhttps://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-20-343-06 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-343-06.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-20-343-06 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-343-06"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ncas/tips/ST04-014"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
},
{
"category": "external",
"summary": "SSA-496604: SSA-712690: Vulnerabilities in XHQ Operations Intelligence - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/SSA-712690.txt"
}
],
"title": "Siemens XHQ Operations Intelligence",
"tracking": {
"current_release_date": "2020-12-08T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-20-343-06",
"initial_release_date": "2020-12-08T00:00:00.000000Z",
"revision_history": [
{
"date": "2020-12-08T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-20-343-06 Siemens XHQ Operations Intelligence"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "All Versions \u003c 6.1",
"product": {
"name": "XHQ: All Versions \u003c 6.1",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "XHQ"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-19283",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "The application\u0027s web server could expose non-sensitive information about the server\u0027s architecture. This could allow an attacker to adapt further attacks to the version in place.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19283"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Follow XHQ\u0027s documentation on how to implement a secure configuration\nfor IIS",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2019-19284",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19284"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Follow XHQ\u0027s documentation on how to implement a secure configuration\nfor IIS",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2019-19285",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"notes": [
{
"category": "summary",
"text": "The web interface could allow injections that could lead to XSS attacks if unsuspecting users are tricked into accessing a malicious link.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19285"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Follow XHQ\u0027s documentation on how to implement a secure configuration\nfor IIS",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2019-19286",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The web interface could allow SQL injection attacks if an attacker is able to modify content of particular web pages.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19286"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Follow XHQ\u0027s documentation on how to implement a secure configuration\nfor IIS",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2019-19287",
"cwe": {
"id": "CWE-23",
"name": "Relative Path Traversal"
},
"notes": [
{
"category": "summary",
"text": "The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets over the network without authentication.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19287"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Follow XHQ\u0027s documentation on how to implement a secure configuration\nfor IIS",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2019-19288",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The web interface could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19288"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Follow XHQ\u0027s documentation on how to implement a secure configuration\nfor IIS",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2019-19289",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "summary",
"text": "The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19289"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Follow XHQ\u0027s documentation on how to implement a secure configuration\nfor IIS",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
VAR-202012-0195
Vulnerability from variot - Updated: 2023-12-18 11:12A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users. XHQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Siemens XHQ is a software platform that aggregates factory or pipeline operation data, and processes these data in a target-oriented manner, and then makes decisions in real time, and effectively improves factory or pipeline operation performance
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202012-0195",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "xhq",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "6.1.0.0"
},
{
"model": "xhq",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
"version": "6.1"
},
{
"model": "xhq",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
"version": null
},
{
"model": "xhq",
"scope": "lt",
"trust": 0.6,
"vendor": "siemens",
"version": "6.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "NVD",
"id": "CVE-2019-19284"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:xhq:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.1.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-19284"
}
]
},
"cve": "CVE-2019-19284",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 3.5,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-19284",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-70932",
"impactScore": 7.8,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.4,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2019-19284",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-19284",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2020-70932",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202012-715",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "NVD",
"id": "CVE-2019-19284"
},
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users. XHQ Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Siemens XHQ is a software platform that aggregates factory or pipeline operation data, and processes these data in a target-oriented manner, and then makes decisions in real time, and effectively improves factory or pipeline operation performance",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-19284"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "CNVD",
"id": "CNVD-2020-70932"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-19284",
"trust": 3.0
},
{
"db": "SIEMENS",
"id": "SSA-712690",
"trust": 1.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-343-06",
"trust": 1.2
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-70932",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.4359",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202012-715",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "NVD",
"id": "CVE-2019-19284"
},
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
]
},
"id": "VAR-202012-0195",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
}
],
"trust": 1.2571428999999998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
}
]
},
"last_update_date": "2023-12-18T11:12:15.764000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SSA-712690",
"trust": 0.8,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
},
{
"title": "Patch for Siemens XHQ cross-site scripting vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/241951"
},
{
"title": "Siemens XHQ Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=137258"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [ Other ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "NVD",
"id": "CVE-2019-19284"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19284"
},
{
"trust": 1.2,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-06"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.4359/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "NVD",
"id": "CVE-2019-19284"
},
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"db": "NVD",
"id": "CVE-2019-19284"
},
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-12-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"date": "2021-08-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"date": "2020-12-14T21:15:16.707000",
"db": "NVD",
"id": "CVE-2019-19284"
},
{
"date": "2020-12-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-12-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"date": "2021-08-16T09:04:00",
"db": "JVNDB",
"id": "JVNDB-2019-016135"
},
{
"date": "2020-12-15T14:06:06.373000",
"db": "NVD",
"id": "CVE-2019-19284"
},
{
"date": "2021-07-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens XHQ cross-site scripting vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-70932"
},
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202012-715"
}
],
"trust": 0.6
}
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…