VAR-201812-0478
Vulnerability from variot - Updated: 2023-12-18 12:50Reflected cross-site scripting (non-persistent) in SCADA WebServer (Versions prior to 2.03.0001) could allow an attacker to send a crafted URL that contains JavaScript, which can be reflected off the web application to the victim's browser. SCADA WebServer Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. iniNetSpiderControlSCADAWebServer is a SCADA system server from Swiss iniNetSolutions. A cross-site scripting vulnerability exists in versions prior to iniNetSpiderControlSCADAWebServer2.03.0001. A remote attacker could exploit the vulnerability to execute JavaScript code by sending a specially crafted URL. Successful exploits will result in the execution of arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201812-0478",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "scada webserver",
"scope": "lt",
"trust": 1.0,
"vendor": "spidercontrol",
"version": "2.03.0001"
},
{
"model": "scada web server",
"scope": "lt",
"trust": 0.8,
"vendor": "ininet",
"version": "2.03.0001"
},
{
"model": "solutions ininet spidercontrol scada webserver",
"scope": "lt",
"trust": 0.6,
"vendor": "ininet",
"version": "2.03.0001"
},
{
"model": "scada web server",
"scope": "eq",
"trust": 0.3,
"vendor": "spidercontrol",
"version": "2.3"
},
{
"model": "scada web server",
"scope": "ne",
"trust": 0.3,
"vendor": "spidercontrol",
"version": "2.3.1"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "scada webserver",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "BID",
"id": "106105"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "NVD",
"id": "CVE-2018-18991"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:spidercontrol:scada_webserver:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.03.0001",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-18991"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ismail Bulbul",
"sources": [
{
"db": "BID",
"id": "106105"
}
],
"trust": 0.3
},
"cve": "CVE-2018-18991",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-18991",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-25282",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-18991",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-18991",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-25282",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201812-126",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "NVD",
"id": "CVE-2018-18991"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Reflected cross-site scripting (non-persistent) in SCADA WebServer (Versions prior to 2.03.0001) could allow an attacker to send a crafted URL that contains JavaScript, which can be reflected off the web application to the victim\u0027s browser. SCADA WebServer Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. iniNetSpiderControlSCADAWebServer is a SCADA system server from Swiss iniNetSolutions. A cross-site scripting vulnerability exists in versions prior to iniNetSpiderControlSCADAWebServer2.03.0001. A remote attacker could exploit the vulnerability to execute JavaScript code by sending a specially crafted URL. \nSuccessful exploits will result in the execution of arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-18991"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "BID",
"id": "106105"
},
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-18991",
"trust": 3.5
},
{
"db": "ICS CERT",
"id": "ICSA-18-338-02",
"trust": 3.3
},
{
"db": "BID",
"id": "106105",
"trust": 2.5
},
{
"db": "CNVD",
"id": "CNVD-2018-25282",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201812-126",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969",
"trust": 0.8
},
{
"db": "IVD",
"id": "7D825C0F-463F-11E9-94AC-000C29342CB1",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "BID",
"id": "106105"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "NVD",
"id": "CVE-2018-18991"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
]
},
"id": "VAR-201812-0478",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
}
],
"trust": 1.675
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
},
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
}
]
},
"last_update_date": "2023-12-18T12:50:28.683000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://spidercontrol.net/"
},
{
"title": "Patch for iniNetSpiderControlSCADAWebServer cross-site scripting vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/146971"
},
{
"title": "iniNet SpiderControl SCADA WebServer Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=87422"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "NVD",
"id": "CVE-2018-18991"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-18-338-02"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/106105"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18991"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18991"
},
{
"trust": 0.3,
"url": "http://spidercontrol.net/download/downloadarea/?lang=en"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "BID",
"id": "106105"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "NVD",
"id": "CVE-2018-18991"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "BID",
"id": "106105"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"db": "NVD",
"id": "CVE-2018-18991"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-12-14T00:00:00",
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"date": "2018-12-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"date": "2018-12-04T00:00:00",
"db": "BID",
"id": "106105"
},
{
"date": "2019-02-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"date": "2018-12-04T21:29:00.333000",
"db": "NVD",
"id": "CVE-2018-18991"
},
{
"date": "2018-12-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-12-14T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"date": "2018-12-04T00:00:00",
"db": "BID",
"id": "106105"
},
{
"date": "2019-02-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-012969"
},
{
"date": "2019-10-09T23:37:32.317000",
"db": "NVD",
"id": "CVE-2018-18991"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "iniNet SpiderControl SCADA WebServer Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "IVD",
"id": "7d825c0f-463f-11e9-94ac-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-25282"
},
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
],
"trust": 1.4
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201812-126"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…