VAR-201903-1181
Vulnerability from variot - Updated: 2023-12-18 12:43A stored cross-site scripting (XSS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can inject arbitrary script via setup.html in the web interface. ControlByWeb X-320M-I Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ControlByWeb X-320M is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information, or cause a denial-of-service attack; other attacks may also be possible. X-320M-I firmware revision v1.05 and prior are vulnerable. Xytronix Research & Design ControlByWeb X-320M is a network-enabled weather station controller from Xytronix Research & Design, USA. The product supports remote viewing of the current wind speed, wind direction, precipitation, temperature, humidity, solar radiation and air pressure, etc. A cross-site scripting vulnerability exists in the Xytronix Research & Design ControlByWeb X-320M due to the program not validating input properly. A remote attacker could exploit this vulnerability to execute code
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201903-1181",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "x-320m-i",
"scope": "eq",
"trust": 1.1,
"vendor": "controlbyweb",
"version": "1.05"
},
{
"model": "x-320m-i",
"scope": "lte",
"trust": 1.0,
"vendor": "controlbyweb",
"version": "1.05"
},
{
"model": "x-320m-i",
"scope": "ne",
"trust": 0.3,
"vendor": "controlbyweb",
"version": "1.06"
}
],
"sources": [
{
"db": "BID",
"id": "106655"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"db": "NVD",
"id": "CVE-2018-18882"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:controlbyweb:x-320m-i_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.05",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:controlbyweb:x-320m-i:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-18882"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "John Elder and Tom Westenberg of Applied Risk",
"sources": [
{
"db": "BID",
"id": "106655"
}
],
"trust": 0.3
},
"cve": "CVE-2018-18882",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 3.5,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-18882",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "VHN-129486",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.4,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-18882",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-18882",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201901-743",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-129486",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129486"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"db": "NVD",
"id": "CVE-2018-18882"
},
{
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A stored cross-site scripting (XSS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can inject arbitrary script via setup.html in the web interface. ControlByWeb X-320M-I Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ControlByWeb X-320M is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability. \nAttackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information, or cause a denial-of-service attack; other attacks may also be possible. \nX-320M-I firmware revision v1.05 and prior are vulnerable. Xytronix Research \u0026 Design ControlByWeb X-320M is a network-enabled weather station controller from Xytronix Research \u0026 Design, USA. The product supports remote viewing of the current wind speed, wind direction, precipitation, temperature, humidity, solar radiation and air pressure, etc. A cross-site scripting vulnerability exists in the Xytronix Research \u0026 Design ControlByWeb X-320M due to the program not validating input properly. A remote attacker could exploit this vulnerability to execute code",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-18882"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"db": "BID",
"id": "106655"
},
{
"db": "VULHUB",
"id": "VHN-129486"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-18882",
"trust": 2.8
},
{
"db": "BID",
"id": "106655",
"trust": 2.8
},
{
"db": "ICS CERT",
"id": "ICSA-19-017-03",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201901-743",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-129486",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129486"
},
{
"db": "BID",
"id": "106655"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"db": "NVD",
"id": "CVE-2018-18882"
},
{
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
]
},
"id": "VAR-201903-1181",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-129486"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:43:35.968000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "X-320M | Web-Enabled Weather Station",
"trust": 0.8,
"url": "https://www.controlbyweb.com/x320m/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129486"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"db": "NVD",
"id": "CVE-2018-18882"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/106655"
},
{
"trust": 1.7,
"url": "https://applied-risk.com/labs/advisories"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18882"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18882"
},
{
"trust": 0.8,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-017-03"
},
{
"trust": 0.3,
"url": "https://www.controlbyweb.com/x320m/"
},
{
"trust": 0.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-19-017-03"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129486"
},
{
"db": "BID",
"id": "106655"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"db": "NVD",
"id": "CVE-2018-18882"
},
{
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-129486"
},
{
"db": "BID",
"id": "106655"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"db": "NVD",
"id": "CVE-2018-18882"
},
{
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-03-21T00:00:00",
"db": "VULHUB",
"id": "VHN-129486"
},
{
"date": "2019-01-17T00:00:00",
"db": "BID",
"id": "106655"
},
{
"date": "2019-05-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"date": "2019-03-21T16:00:29.810000",
"db": "NVD",
"id": "CVE-2018-18882"
},
{
"date": "2019-01-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-03T00:00:00",
"db": "VULHUB",
"id": "VHN-129486"
},
{
"date": "2019-01-17T00:00:00",
"db": "BID",
"id": "106655"
},
{
"date": "2019-07-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015190"
},
{
"date": "2019-04-03T12:48:44.087000",
"db": "NVD",
"id": "CVE-2018-18882"
},
{
"date": "2019-04-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ControlByWeb X-320M-I Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015190"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201901-743"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…