GSD-2023-1841

Vulnerability from gsd - Updated: 2023-12-13 01:20
Details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.  Honeywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions correct the reported vulnerability.
Aliases
Aliases
CVE-2023-1841
To clipboard 

{
  "GSD": {
    "alias": "CVE-2023-1841",
    "id": "GSD-2023-1841"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-1841"
      ],
      "details": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.\u00a0\n\nHoneywell released firmware update package MPA2 firmware\u00a0R1.00.08.05 which addresses\u00a0this vulnerability.  This version and all later versions\ncorrect the reported vulnerability.\n\n\n\n",
      "id": "GSD-2023-1841",
      "modified": "2023-12-13T01:20:41.669315Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@honeywell.com",
        "ID": "CVE-2023-1841",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "MPA2 Access Panel",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "R1.00.08.05"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Honeywell"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Ken Pyle from CYBIR (kp@cybir.com)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.\u00a0\n\nHoneywell released firmware update package MPA2 firmware\u00a0R1.00.08.05 which addresses\u00a0this vulnerability.  This version and all later versions\ncorrect the reported vulnerability.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices",
            "refsource": "MISC",
            "url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices"
          },
          {
            "name": "https://https://www.honeywell.com/us/en/product-security",
            "refsource": "MISC",
            "url": "https://https://www.honeywell.com/us/en/product-security"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.\u00a0\n\nHoneywell released firmware update package MPA2 firmware\u00a0R1.00.08.05 which addresses\u00a0this vulnerability.  This version and all later versions\ncorrect the reported vulnerability.\n\n"
          },
          {
            "lang": "es",
            "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027cross-site Scripting\u0027) en Honeywell MPA2 Access Panel (m\u00f3dulos de servidor web) permite que XSS utilice caracteres no v\u00e1lidos. Este problema afecta a MPA2 Access Panel en todas las versiones anteriores a R1.00.08.05. Honeywell lanz\u00f3 el paquete de actualizaci\u00f3n de firmware MPA2 R1.00.08.05 que soluciona esta vulnerabilidad. Esta versi\u00f3n y todas las versiones posteriores corrigen la vulnerabilidad informada."
          }
        ],
        "id": "CVE-2023-1841",
        "lastModified": "2024-04-25T14:15:07.973",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.2,
              "source": "psirt@honeywell.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-29T06:15:45.093",
        "references": [
          {
            "source": "psirt@honeywell.com",
            "url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices"
          },
          {
            "source": "psirt@honeywell.com",
            "url": "https://https://www.honeywell.com/us/en/product-security"
          }
        ],
        "sourceIdentifier": "psirt@honeywell.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-79"
              }
            ],
            "source": "psirt@honeywell.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.