cvelistv5 - cve-2018-18985

CVE-2018-18985 (GCVE-0-2018-18985)

Vulnerability from cvelistv5 – Published: 2019-01-29 16:00 – Updated: 2024-09-16 17:54

Summary

Severity ?

No CVSS data available.

CWE

CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

Assigner

icscert

References

URL

Tags

	http://www.securityfocus.com/bid/106530	vdb-entryx_refsource_BID
	https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Tridium	Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4	Affected: Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T11:23:08.920Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "106530",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106530"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4",
          "vendor": "Tridium",
          "versions": [
            {
              "status": "affected",
              "version": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4"
            }
          ]
        }
      ],
      "datePublic": "2019-01-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-01-31T23:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "106530",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106530"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2019-01-10T00:00:00",
          "ID": "CVE-2018-18985",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Tridium"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "106530",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106530"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2018-18985",
    "datePublished": "2019-01-29T16:00:00Z",
    "dateReserved": "2018-11-06T00:00:00",
    "dateUpdated": "2024-09-16T17:54:09.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.4.93.40.2\", \"matchCriteriaId\": \"2F91AE04-D218-4A1A-AA9C-64BEC0351058\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.6\", \"versionEndExcluding\": \"4.6.96.28.4\", \"matchCriteriaId\": \"E6265A9D-2E4C-46CD-BE33-ECB5A65678FE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tridium:niagara:4.4u2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6A337C58-8D5B-4BA2-A916-8551F9B1B141\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tridium:niagara_ax_framework:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.8.401.1\", \"matchCriteriaId\": \"FC3E8353-123A-45C3-B439-6A40B4A3AF1A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tridium:niagara_ax_framework:3.8u4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B98B5F7F-75AF-46FE-9A76-66EF4D9A3A82\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tridium:niagara_enterprise_security:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.3.118.6\", \"matchCriteriaId\": \"FE72BEA5-3F11-4CCC-BE8D-5CB887292D64\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tridium:niagara_enterprise_security:2.3u1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"61618B9B-80C1-4B48-974C-4E9A7E692AFE\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.\"}, {\"lang\": \"es\", \"value\": \"Tridium Niagara Enterprise Security 2.3u1, en todas las versiones anteriores a la 2.3.118.6; Niagara AX 3.8u4, en todas las versiones anteriores a la 3.8.401.1; Niagara 4.4u2, en todas las versiones anteriores a la 4.4.93.40.2 y Niagara 4.6, en todas las versiones anteriores a la 4.6.96.28.4, contienen una vulnerabilidad Cross-Site Scripting (XSS) que podr\\u00eda permitir que un atacante remoto inyecte c\\u00f3digo en algunas p\\u00e1ginas web, lo que afecta a la confidencialidad.\"}]",
      "id": "CVE-2018-18985",
      "lastModified": "2024-11-21T03:56:59.257",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-01-29T16:29:00.483",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/106530\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"http://www.securityfocus.com/bid/106530\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-18985\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2019-01-29T16:29:00.483\",\"lastModified\":\"2024-11-21T03:56:59.257\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.\"},{\"lang\":\"es\",\"value\":\"Tridium Niagara Enterprise Security 2.3u1, en todas las versiones anteriores a la 2.3.118.6; Niagara AX 3.8u4, en todas las versiones anteriores a la 3.8.401.1; Niagara 4.4u2, en todas las versiones anteriores a la 4.4.93.40.2 y Niagara 4.6, en todas las versiones anteriores a la 4.6.96.28.4, contienen una vulnerabilidad Cross-Site Scripting (XSS) que podr\u00eda permitir que un atacante remoto inyecte c\u00f3digo en algunas p\u00e1ginas web, lo que afecta a la confidencialidad.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.4.93.40.2\",\"matchCriteriaId\":\"2F91AE04-D218-4A1A-AA9C-64BEC0351058\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.6\",\"versionEndExcluding\":\"4.6.96.28.4\",\"matchCriteriaId\":\"E6265A9D-2E4C-46CD-BE33-ECB5A65678FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tridium:niagara:4.4u2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A337C58-8D5B-4BA2-A916-8551F9B1B141\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tridium:niagara_ax_framework:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.8.401.1\",\"matchCriteriaId\":\"FC3E8353-123A-45C3-B439-6A40B4A3AF1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tridium:niagara_ax_framework:3.8u4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B98B5F7F-75AF-46FE-9A76-66EF4D9A3A82\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tridium:niagara_enterprise_security:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.3.118.6\",\"matchCriteriaId\":\"FE72BEA5-3F11-4CCC-BE8D-5CB887292D64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tridium:niagara_enterprise_security:2.3u1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61618B9B-80C1-4B48-974C-4E9A7E692AFE\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/106530\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/106530\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}

GHSA-76HJ-25WR-PVGG

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33

Details

Severity ?

5.4 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-18985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-29T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.",
  "id": "GHSA-76hj-25wr-pvgg",
  "modified": "2022-05-13T01:33:42Z",
  "published": "2022-05-13T01:33:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18985"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2018-18985

Vulnerability from fkie_nvd - Published: 2019-01-29 16:29 - Updated: 2024-11-21 03:56

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/106530	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/106530	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
tridium	niagara	*
tridium	niagara	*
tridium	niagara	4.4u2
tridium	niagara_ax_framework	*
tridium	niagara_ax_framework	3.8u4
tridium	niagara_enterprise_security	*
tridium	niagara_enterprise_security	2.3u1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F91AE04-D218-4A1A-AA9C-64BEC0351058",
              "versionEndExcluding": "4.4.93.40.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6265A9D-2E4C-46CD-BE33-ECB5A65678FE",
              "versionEndExcluding": "4.6.96.28.4",
              "versionStartIncluding": "4.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tridium:niagara:4.4u2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A337C58-8D5B-4BA2-A916-8551F9B1B141",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tridium:niagara_ax_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC3E8353-123A-45C3-B439-6A40B4A3AF1A",
              "versionEndExcluding": "3.8.401.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tridium:niagara_ax_framework:3.8u4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B98B5F7F-75AF-46FE-9A76-66EF4D9A3A82",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tridium:niagara_enterprise_security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE72BEA5-3F11-4CCC-BE8D-5CB887292D64",
              "versionEndExcluding": "2.3.118.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tridium:niagara_enterprise_security:2.3u1:*:*:*:*:*:*:*",
              "matchCriteriaId": "61618B9B-80C1-4B48-974C-4E9A7E692AFE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality."
    },
    {
      "lang": "es",
      "value": "Tridium Niagara Enterprise Security 2.3u1, en todas las versiones anteriores a la 2.3.118.6; Niagara AX 3.8u4, en todas las versiones anteriores a la 3.8.401.1; Niagara 4.4u2, en todas las versiones anteriores a la 4.4.93.40.2 y Niagara 4.6, en todas las versiones anteriores a la 4.6.96.28.4, contienen una vulnerabilidad Cross-Site Scripting (XSS) que podr\u00eda permitir que un atacante remoto inyecte c\u00f3digo en algunas p\u00e1ginas web, lo que afecta a la confidencialidad."
    }
  ],
  "id": "CVE-2018-18985",
  "lastModified": "2024-11-21T03:56:59.257",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-01-29T16:29:00.483",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/106530"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/106530"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2019-01673

Vulnerability from cnvd - Published: 2019-01-16

Title

TRIDIUM Niagara Enterprise Security、Niagara AX和Niagara跨站脚本漏洞

Description

TRIDIUM Niagara Enterprise Security、Niagara AX和Niagara都是美国Tridium公司的产品。TRIDIUM Niagara Enterprise Security是一套用于建筑行业的访问控制和安全系统。Niagara AX是一套资产管理框架。Niagara是一套用于支持设备和应用程序连接的平台。 TRIDIUM Niagara Enterprise Security、Niagara AX和Niagara中存在跨站脚本漏洞，该漏洞源于程序未能正确地过滤用户提交的输入，攻击者可利用该漏洞在用户浏览器中执行任意脚本代码。

Severity

中

Patch Name

TRIDIUM Niagara Enterprise Security、Niagara AX和Niagara跨站脚本漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.tridium.com/

Reference

http://www.securityfocus.com/bid/106530

Impacted products

Name
['Tridium Niagara Enterprise Security 2.3u1', 'Tridium Niagara AX 3.8u4', 'Tridium Niagara 4.6', 'Tridium Niagara 4.4u2']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "106530"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-18985"
    }
  },
  "description": "TRIDIUM Niagara Enterprise Security\u3001Niagara AX\u548cNiagara\u90fd\u662f\u7f8e\u56fdTridium\u516c\u53f8\u7684\u4ea7\u54c1\u3002TRIDIUM Niagara Enterprise Security\u662f\u4e00\u5957\u7528\u4e8e\u5efa\u7b51\u884c\u4e1a\u7684\u8bbf\u95ee\u63a7\u5236\u548c\u5b89\u5168\u7cfb\u7edf\u3002Niagara AX\u662f\u4e00\u5957\u8d44\u4ea7\u7ba1\u7406\u6846\u67b6\u3002Niagara\u662f\u4e00\u5957\u7528\u4e8e\u652f\u6301\u8bbe\u5907\u548c\u5e94\u7528\u7a0b\u5e8f\u8fde\u63a5\u7684\u5e73\u53f0\u3002\n\nTRIDIUM Niagara Enterprise Security\u3001Niagara AX\u548cNiagara\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002",
  "discovererName": "Daniel Santos and Elisa Costante",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.tridium.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-01673",
  "openTime": "2019-01-16",
  "patchDescription": "TRIDIUM Niagara Enterprise Security\u3001Niagara AX\u548cNiagara\u90fd\u662f\u7f8e\u56fdTridium\u516c\u53f8\u7684\u4ea7\u54c1\u3002TRIDIUM Niagara Enterprise Security\u662f\u4e00\u5957\u7528\u4e8e\u5efa\u7b51\u884c\u4e1a\u7684\u8bbf\u95ee\u63a7\u5236\u548c\u5b89\u5168\u7cfb\u7edf\u3002Niagara AX\u662f\u4e00\u5957\u8d44\u4ea7\u7ba1\u7406\u6846\u67b6\u3002Niagara\u662f\u4e00\u5957\u7528\u4e8e\u652f\u6301\u8bbe\u5907\u548c\u5e94\u7528\u7a0b\u5e8f\u8fde\u63a5\u7684\u5e73\u53f0\u3002\r\n\r\nTRIDIUM Niagara Enterprise Security\u3001Niagara AX\u548cNiagara\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "TRIDIUM Niagara Enterprise Security\u3001Niagara AX\u548cNiagara\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Tridium Niagara Enterprise Security 2.3u1",
      "Tridium Niagara AX 3.8u4",
      "Tridium Niagara 4.6",
      "Tridium Niagara 4.4u2"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/106530",
  "serverity": "\u4e2d",
  "submitTime": "2019-01-15",
  "title": "TRIDIUM Niagara Enterprise Security\u3001Niagara AX\u548cNiagara\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

VAR-201901-0860

Vulnerability from variot - Updated: 2023-12-18 13:28

Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality. plural Tridium Niagara Product Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Multiple Tridium Products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201901-0860",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "niagara",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "4.4.93.40.2"
      },
      {
        "model": "niagara ax framework",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "3.8.401.1"
      },
      {
        "model": "niagara enterprise security",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "2.3.118.6"
      },
      {
        "model": "niagara",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "4.6"
      },
      {
        "model": "niagara ax framework",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "3.8u4"
      },
      {
        "model": "niagara enterprise security",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "2.3u1"
      },
      {
        "model": "niagara",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "4.4u2"
      },
      {
        "model": "niagara",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "tridium",
        "version": "4.6.96.28.4"
      },
      {
        "model": "niagara",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "tridium",
        "version": "4.4u2 4.4.93.40.2"
      },
      {
        "model": "niagara",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "tridium",
        "version": "niagara 4.6 4.6.96.28.4"
      },
      {
        "model": "niagara ax framework",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "tridium",
        "version": "3.8u4 3.8.401.1"
      },
      {
        "model": "niagara enterprise security",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "tridium",
        "version": "2.3u1 2.3.118.6"
      },
      {
        "model": "niagara enterprise security 2.3u1",
        "scope": null,
        "trust": 0.3,
        "vendor": "tridium",
        "version": null
      },
      {
        "model": "niagara ax 3.8u4",
        "scope": null,
        "trust": 0.3,
        "vendor": "tridium",
        "version": null
      },
      {
        "model": "niagara",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "tridium",
        "version": "4.6"
      },
      {
        "model": "niagara 4.4u2",
        "scope": null,
        "trust": 0.3,
        "vendor": "tridium",
        "version": null
      },
      {
        "model": "niagara enterprise security",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "tridium",
        "version": "2.3.118.6"
      },
      {
        "model": "niagara ax",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "tridium",
        "version": "3.8.401.1"
      },
      {
        "model": "niagara",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "tridium",
        "version": "4.6.96.28.4"
      },
      {
        "model": "niagara",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "tridium",
        "version": "4.4.93.40.2"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "106530"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_enterprise_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.118.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_ax_framework:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.8.401.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.6.96.28.4",
                "versionStartIncluding": "4.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.4.93.40.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_enterprise_security:2.3u1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara:4.4u2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_ax_framework:3.8u4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Daniel Santos and Elisa Costante of SecurityMatters",
    "sources": [
      {
        "db": "BID",
        "id": "106530"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2018-18985",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 6.8,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 3.5,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2018-18985",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.3,
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.4,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2018-18985",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "Low",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-18985",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201901-430",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality. plural Tridium Niagara Product Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Multiple Tridium Products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. \nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "BID",
        "id": "106530"
      }
    ],
    "trust": 1.89
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "ICS CERT",
        "id": "ICSA-18-333-02",
        "trust": 2.7
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18985",
        "trust": 2.7
      },
      {
        "db": "BID",
        "id": "106530",
        "trust": 1.9
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "106530"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ]
  },
  "id": "VAR-201901-0860",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.54507082
  },
  "last_update_date": "2023-12-18T13:28:39.950000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.tridium.com/"
      },
      {
        "title": "TRIDIUM Niagara Enterprise Security , Niagara AX  and Niagara Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=88589"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.7,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-18-333-02"
      },
      {
        "trust": 2.2,
        "url": "http://www.securityfocus.com/bid/106530"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18985"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-18985"
      },
      {
        "trust": 0.3,
        "url": "https://www.tridium.com/"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "106530"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "BID",
        "id": "106530"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18985"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-01-10T00:00:00",
        "db": "BID",
        "id": "106530"
      },
      {
        "date": "2019-03-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "date": "2019-01-29T16:29:00.483000",
        "db": "NVD",
        "id": "CVE-2018-18985"
      },
      {
        "date": "2019-01-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-01-10T00:00:00",
        "db": "BID",
        "id": "106530"
      },
      {
        "date": "2019-03-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      },
      {
        "date": "2019-10-09T23:37:31.693000",
        "db": "NVD",
        "id": "CVE-2018-18985"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  Tridium Niagara Product Vulnerable to cross-site scripting",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013990"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-430"
      }
    ],
    "trust": 0.6
  }
}

GSD-2018-18985

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-18985

Aliases

CVE-2018-18985

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-18985",
    "description": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.",
    "id": "GSD-2018-18985"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-18985"
      ],
      "details": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.",
      "id": "GSD-2018-18985",
      "modified": "2023-12-13T01:22:35.936391Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2019-01-10T00:00:00",
        "ID": "CVE-2018-18985",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Tridium"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "106530",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/106530"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_enterprise_security:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.118.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_ax_framework:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.8.401.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.6.96.28.4",
                "versionStartIncluding": "4.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.4.93.40.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_enterprise_security:2.3u1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara:4.4u2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tridium:niagara_ax_framework:3.8u4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2018-18985"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02"
            },
            {
              "name": "106530",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/106530"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2019-10-09T23:37Z",
      "publishedDate": "2019-01-29T16:29Z"
    }
  }
}

ICSA-18-333-02

Vulnerability from csaf_cisa - Published: 2018-11-29 00:00 - Updated: 2019-01-10 00:00

Summary

ICSA-18-333-02_Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Summary

Daniel Santos and Elisa Costante of SecurityMatters reported the vulnerability to Tridium.

Exploitability

No known public exploits specifically target this vulnerability.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Daniel Santos",
          "Elisa Costante"
        ],
        "organization": "SecurityMatters",
        "summary": "reporting the vulnerability to Tridium"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "summary",
        "text": "Daniel Santos and Elisa Costante of SecurityMatters reported the vulnerability to Tridium.",
        "title": "Summary"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "CISAservicedesk@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-333-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-333-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-18-333-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-333-02"
      }
    ],
    "title": "ICSA-18-333-02_Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4",
    "tracking": {
      "current_release_date": "2019-01-10T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA USCert CSAF Generator",
          "version": "1"
        }
      },
      "id": "ICSA-18-333-02",
      "initial_release_date": "2018-11-29T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2018-11-29T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-18-333-02P Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4"
        },
        {
          "date": "2019-01-10T00:00:00.000000Z",
          "legacy_version": "A",
          "number": "2",
          "summary": "ICSA-18-333-02 Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4 (Update A)"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 4.4.93.40.2",
                "product": {
                  "name": "Niagara 4.4u2: all versions prior to 4.4.93.40.2",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara 4.4u2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 2.3.118.6",
                "product": {
                  "name": "Niagara Enterprise Security 2.3u1: all versions prior to 2.3.118.6",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara Enterprise Security 2.3u1"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 3.8.401.1",
                "product": {
                  "name": "Niagara AX 3.8u4: all versions prior to 3.8.401.1",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara AX 3.8u4"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 4.6.96.28.4",
                "product": {
                  "name": "Niagara 4.6: all versions prior to 4.6.96.28.4",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara 4.6"
          }
        ],
        "category": "vendor",
        "name": "Tridium"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-18985",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.CVE-2018-18985 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Tridium recommends that affected users upgrade to the latest versions of the software (login required).: Niagara Enterprise security 2.3u1: Version 2.3.118.6",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://software.niagara-central.com/ord?portal:/download/6284"
        },
        {
          "category": "mitigation",
          "details": "Tridium recommends that affected users upgrade to the latest versions of the software (login required).: Niagara AX 3.8u4: Version 3.8.401.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://software.niagara-central.com/ord?portal:/download/6276"
        },
        {
          "category": "mitigation",
          "details": "Tridium recommends that affected users upgrade to the latest versions of the software (login required).: Niagara 4.4u2: Version 4.4.93.40.2",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://software.niagara-central.com/ord?portal:/download/6268"
        },
        {
          "category": "vendor_fix",
          "details": "Tridium recommends that affected users upgrade to the latest versions of the software (login required).: Niagara 4.6: Version 4.6.96.28.4",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://software.niagara-central.com/ord?portal:/download/6281"
        },
        {
          "category": "mitigation",
          "details": "Tridium recommends that affected users upgrade to the latest versions of the software (login required).: For more information please see Tridium\u2019s security bulletin SB 2018-Tridium-2",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/update%20your%20niagara%20software%20-%20fixes%20cross-site%20scripting%20vulnerability_2018-11.ashx?la=en"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "CVE-2018-18985"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-18985 (GCVE-0-2018-18985)

GHSA-76HJ-25WR-PVGG

FKIE_CVE-2018-18985

CNVD-2019-01673

VAR-201901-0860

GSD-2018-18985

ICSA-18-333-02

Tags

Sightings

Nomenclature