cnvd - cnvd-2021-34120

CNVD-2021-34120

Vulnerability from cnvd - Published: 2021-05-12

Title

Sipwise C5 NGCP CSC跨站脚本漏洞

Description

Sipwise C5 NGCP CSC是奥地利Sipwise公司的一个应用系统。一个统一通信解决方案的核心系统。 Sipwise C5 NGCP CSC CE_m39.3.1版本及之前版本存在跨站脚本漏洞，该漏洞源于输入通过几个参数传递到几个脚本未能被正确地检查。目前没有详细漏洞细节提供。

Severity

低

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.sipwise.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-31583

Impacted products

Name
Sipwise Sipwise C5 NGCP CSC <=CE_m39.3.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-31583"
    }
  },
  "description": "Sipwise C5 NGCP CSC\u662f\u5965\u5730\u5229Sipwise\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7cfb\u7edf\u3002\u4e00\u4e2a\u7edf\u4e00\u901a\u4fe1\u89e3\u51b3\u65b9\u6848\u7684\u6838\u5fc3\u7cfb\u7edf\u3002\n\nSipwise C5 NGCP CSC CE_m39.3.1\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8f93\u5165\u901a\u8fc7\u51e0\u4e2a\u53c2\u6570\u4f20\u9012\u5230\u51e0\u4e2a\u811a\u672c\u672a\u80fd\u88ab\u6b63\u786e\u5730\u68c0\u67e5\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.sipwise.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-34120",
  "openTime": "2021-05-12",
  "products": {
    "product": "Sipwise Sipwise C5 NGCP CSC \u003c=CE_m39.3.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-31583",
  "serverity": "\u4f4e",
  "submitTime": "2021-04-27",
  "title": "Sipwise C5 NGCP CSC\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-31583 (GCVE-0-2021-31583)

Vulnerability from cvelistv5 – Published: 2021-04-23 20:52 – Updated: 2024-08-03 23:03

Summary

Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang).

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.zeroscience.mk/en/vulnerabilities	x_refsource_MISC
	https://www.sipwise.com	x_refsource_MISC
	http://packetstormsecurity.com/files/162316/Sipwi…	x_refsource_MISC
	https://www.zeroscience.mk/en/vulnerabilities/ZSL…	x_refsource_MISC
	http://lists.sipwise.com/pipermail/spce-user_list…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:03:33.432Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zeroscience.mk/en/vulnerabilities"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sipwise.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-07T12:55:08",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zeroscience.mk/en/vulnerabilities"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sipwise.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-31583",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.zeroscience.mk/en/vulnerabilities",
              "refsource": "MISC",
              "url": "https://www.zeroscience.mk/en/vulnerabilities"
            },
            {
              "name": "https://www.sipwise.com",
              "refsource": "MISC",
              "url": "https://www.sipwise.com"
            },
            {
              "name": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html"
            },
            {
              "name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php",
              "refsource": "MISC",
              "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php"
            },
            {
              "name": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html",
              "refsource": "MISC",
              "url": "http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-31583",
    "datePublished": "2021-04-23T20:52:09",
    "dateReserved": "2021-04-22T00:00:00",
    "dateUpdated": "2024-08-03T23:03:33.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-34120

CVE-2021-31583 (GCVE-0-2021-31583)

Tags

Sightings

Nomenclature