Lucene search

MitreCVE-2019-16414

HistorySep 30, 2019 - 1:15 p.m.

CVE-2019-16414

2019-09-3013:15:10

CWE-79

mitre

web.nvd.nist.gov

information security

cve-2019-16414

dom based xss

gfi kerio control

malicious code

credential manipulation

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.002

Percentile

57.6%

JSON

A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim’s cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI.

Affected configurations

Nvd

Node

gfikerio_controlMatch9.3.0

VendorProductVersionCPE
gfikerio_control9.3.0cpe:2.3:a:gfi:kerio_control:9.3.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gfi	kerio_control	9.3.0	cpe:2.3:a:gfi:kerio_control:9.3.0:::::::*

References

packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2019/Sep/35

twitter.com/haxel0rd/status/1174279811751174144

www.youtube.com/watch?v=ZqqR89vzZ_I

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.002

Percentile

57.6%

JSON

Related for CVE-2019-16414