CVE-2018-25090 (GCVE-0-2018-25090)
Vulnerability from cvelistv5 – Published: 2024-03-13 08:32 – Updated: 2024-08-05 15:22
VLAI?
Title
Wago: Improper Neutralization of Input During Web Page Generation in multiple devices
Summary
An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required. This leads to a limited impact of confidentiality and integrity but no impact of availability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WAGO | Controller BACnet/IP |
Affected:
0 , ≤ FW13
(semver)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:33:48.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2023-039/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:21:55.909544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T15:22:05.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller BACnet/IP",
"vendor": "WAGO",
"versions": [
{
"lessThanOrEqual": "FW13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller BACnet MS/TP",
"vendor": "WAGO",
"versions": [
{
"lessThanOrEqual": "FW13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Ethernet Controller 3rd Generation",
"vendor": "WAGO",
"versions": [
{
"lessThanOrEqual": "FW13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Ethernet Controller 3rd Generation",
"vendor": "WAGO",
"versions": [
{
"lessThanOrEqual": "FW13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Fieldbus Coupler Ethernet 3rd Generation",
"vendor": "WAGO",
"versions": [
{
"lessThanOrEqual": "FW13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required.\u0026nbsp;This leads to a limited impact of confidentiality and integrity but no impact of availability."
}
],
"value": "An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required.\u00a0This leads to a limited impact of confidentiality and integrity but no impact of availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T08:32:17.180Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://cert.vde.com/en/advisories/VDE-2023-039/"
}
],
"source": {
"advisory": "VDE-2023-039",
"defect": [
"CERT@VDE#64546"
],
"discovery": "EXTERNAL"
},
"title": "Wago: Improper Neutralization of Input During Web Page Generation in multiple devices",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2018-25090",
"datePublished": "2024-03-13T08:32:17.180Z",
"dateReserved": "2023-09-14T13:00:21.075Z",
"dateUpdated": "2024-08-05T15:22:05.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required.\\u00a0This leads to a limited impact of confidentiality and integrity but no impact of availability.\"}, {\"lang\": \"es\", \"value\": \"Un atacante remoto no autenticado puede utilizar un ataque XSS debido a una neutralizaci\\u00f3n inadecuada de la entrada durante la generaci\\u00f3n de la p\\u00e1gina web. Se requiere la interacci\\u00f3n del usuario. Esto conduce a un impacto limitado en la confidencialidad e integridad, pero ning\\u00fan impacto en la disponibilidad.\"}]",
"id": "CVE-2018-25090",
"lastModified": "2024-11-21T04:03:32.180",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"info@cert.vde.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}]}",
"published": "2024-03-13T09:15:07.040",
"references": "[{\"url\": \"https://cert.vde.com/en/advisories/VDE-2023-039/\", \"source\": \"info@cert.vde.com\"}, {\"url\": \"https://cert.vde.com/en/advisories/VDE-2023-039/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "info@cert.vde.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"info@cert.vde.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-25090\",\"sourceIdentifier\":\"info@cert.vde.com\",\"published\":\"2024-03-13T09:15:07.040\",\"lastModified\":\"2024-11-21T04:03:32.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required.\u00a0This leads to a limited impact of confidentiality and integrity but no impact of availability.\"},{\"lang\":\"es\",\"value\":\"Un atacante remoto no autenticado puede utilizar un ataque XSS debido a una neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de la p\u00e1gina web. Se requiere la interacci\u00f3n del usuario. Esto conduce a un impacto limitado en la confidencialidad e integridad, pero ning\u00fan impacto en la disponibilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://cert.vde.com/en/advisories/VDE-2023-039/\",\"source\":\"info@cert.vde.com\"},{\"url\":\"https://cert.vde.com/en/advisories/VDE-2023-039/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://cert.vde.com/en/advisories/VDE-2023-039/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T12:33:48.504Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2018-25090\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-05T15:21:55.909544Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-05T15:22:00.508Z\"}}], \"cna\": {\"title\": \"Wago: Improper Neutralization of Input During Web Page Generation in multiple devices\", \"source\": {\"defect\": [\"CERT@VDE#64546\"], \"advisory\": \"VDE-2023-039\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"WAGO\", \"product\": \"Controller BACnet/IP\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"FW13\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WAGO\", \"product\": \"Controller BACnet MS/TP\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"FW13\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WAGO\", \"product\": \"Ethernet Controller 3rd Generation\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"FW13\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WAGO\", \"product\": \"Ethernet Controller 3rd Generation\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"FW13\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"WAGO\", \"product\": \"Fieldbus Coupler Ethernet 3rd Generation\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"FW13\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cert.vde.com/en/advisories/VDE-2023-039/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required.\\u00a0This leads to a limited impact of confidentiality and integrity but no impact of availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required.\u0026nbsp;This leads to a limited impact of confidentiality and integrity but no impact of availability.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"270ccfa6-a436-4e77-922e-914ec3a9685c\", \"shortName\": \"CERTVDE\", \"dateUpdated\": \"2024-03-13T08:32:17.180Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2018-25090\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-05T15:22:05.933Z\", \"dateReserved\": \"2023-09-14T13:00:21.075Z\", \"assignerOrgId\": \"270ccfa6-a436-4e77-922e-914ec3a9685c\", \"datePublished\": \"2024-03-13T08:32:17.180Z\", \"assignerShortName\": \"CERTVDE\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…