6.1
CVE-2019-1000024
- EPSS 1.24%
- Veröffentlicht 04.02.2019 21:29:01
- Zuletzt bearbeitet 21.11.2024 04:17:42
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginOPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cross Site Scripting (XSS) vulnerability in /js/libs/jstree/demo/filebrowser/index.php page. The "id" and "operation" GET parameters can be used to inject arbitrary JavaScript which is returned in the page's response that can result in Cross-site scripting.This attack appear to be exploitable via network connectivity.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.24% | 0.651 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://sourceforge.net/projects/ngnms/
https://inf0seq.github.io/cve/2019/01/20/Cross-site-scripting-%28XSS%29-in-OPTOSS-Next-Gen-Network-Management-System-%28NG-NetMS%29.html
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29