Lucene search

[email protected]CVE-2022-3073

HistoryDec 14, 2022 - 9:15 a.m.

CVE-2022-3073

2022-12-1409:15:09

CWE-79

[email protected]

web.nvd.nist.gov

quanos

schema st4

web templates

javascript injection

remote attacker

session hijacking

web services

security vulnerability

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.5%

JSON

Quanos “SCHEMA ST4” example web templates in version Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 or below are prone to JavaScript injection allowing a remote attacker to hijack existing sessions to e.g. other web services in the same environment or execute scripts in the users browser environment. The affected script is ‘*-schema.js’.

Affected configurations

NVD

Node

weidmueller19_iot_md01_lan_h4_s0011_firmwareMatch-

AND

weidmueller19_iot_md01_lan_h4_s0011Match-

Node

weidmuellerfp_iot_md01_4eu_s2_00000_firmwareMatch-

AND

weidmuellerfp_iot_md01_4eu_s2_00000Match-

Node

weidmuellerfp_iot_md01_lan_s2_00000_firmwareMatch-

AND

weidmuellerfp_iot_md01_lan_s2_00000Match-

Node

weidmuellerfp_iot_md01_lan_s2_00011_firmwareMatch-

AND

weidmuellerfp_iot_md01_lan_s2_00011Match-

Node

weidmuellerfp_iot_md02_4eu_s3_00000_firmwareMatch-

AND

weidmuellerfp_iot_md02_4eu_s3_00000Match-

Node

weidmuelleriot-gw30_firmwareRange≤1.16.0

AND

weidmuelleriot-gw30Match-

Node

weidmuelleriot-gw30-4g-eu_firmwareRange≤1.16.0

AND

weidmuelleriot-gw30-4g-euMatch-

Node

weidmuelleruc20-wl2000-ac_firmwareRange≤1.16.0

AND

weidmuelleruc20-wl2000-acMatch-

Node

weidmuelleruc20-wl2000-iot_firmwareRange≤1.16.0

AND

weidmuelleruc20-wl2000-iotMatch-

CPENameOperatorVersion
weidmueller:19_iot_md01_lan_h4_s0011_firmwareweidmueller 19 iot md01 lan h4 s0011 firmwareeq-

CPE	Name	Operator	Version
weidmueller:19_iot_md01_lan_h4_s0011_firmware	weidmueller 19 iot md01 lan h4 s0011 firmware	eq	-

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Bootstrap 2019"
    ],
    "product": "Schema ST4 example web templates",
    "vendor": "Quanos",
    "versions": [
      {
        "lessThanOrEqual": "2",
        "status": "affected",
        "version": "1",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Bootstrap 2022",
      "Bootstrap 2022 SP1",
      "Bootstrap 2021"
    ],
    "product": "Schema ST4 example web templates",
    "vendor": "Quanos",
    "versions": [
      {
        "status": "affected",
        "version": "1"
      }
    ]
  }
]

References

cert.vde.com/de/advisories/VDE-2022-056/

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.5%

JSON

Related for CVE-2022-3073

cvelist1 prion1 nvd1