Lucene search

[email protected]CVE-2014-3740

HistorySep 11, 2014 - 6:55 p.m.

CVE-2014-3740

2014-09-1118:55:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2014-3740

cross-site scripting

xss vulnerability

spiceworks

web script

html

authenticated users

ticket request

portal page

5.4 Medium

AI Score

Confidence

High

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.4%

JSON

Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.

CPENameOperatorVersion
spiceworks:spiceworksspiceworksle7.2.00190
spiceworks:spiceworksspiceworkseq7.2.00189
spiceworks:spiceworksspiceworkseq7.2.00174

CPE	Name	Operator	Version
spiceworks:spiceworks	spiceworks	le	7.2.00190
spiceworks:spiceworks	spiceworks	eq	7.2.00189
spiceworks:spiceworks	spiceworks	eq	7.2.00174

References

osvdb.org/show/osvdb/106916

packetstormsecurity.com/files/126596/SpiceWorks-7.2.00174-Cross-Site-Scripting.html

packetstormsecurity.com/files/126994/SpiceWorks-IT-Ticketing-System-Cross-Site-Scripting.html

research.openflare.org/advisories/OF-2014-07/spiceworks_xss.txt

research.openflare.org/poc/OF-2014-07/spiceworks_crafted_ticket.mp4

seclists.org/fulldisclosure/2014/Jun/42

secunia.com/advisories/58522

www.exploit-db.com/exploits/33330

www.securityfocus.com/archive/1/532346/100/0/threaded

5.4 Medium

AI Score

Confidence

High

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.4%

JSON

Related for CVE-2014-3740

cvelist1 prion1 securityvulns2 packetstorm1