Lucene search

IcscertCVELIST:CVE-2023-38582

HistorySep 18, 2023 - 8:04 p.m.

CVE-2023-38582 Socomec MOD3GP-SY-120K Cross-site Scripting

2023-09-1820:04:48

CWE-79

icscert

www.cve.org

cve-2023-38582

cross-site scripting

web application

mod3gp-sy-120k

remote attacker

xss payload

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

24.0%

JSON

Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "MODULYS GP (MOD3GP-SY-120K)",
    "vendor": "Socomec",
    "versions": [
      {
        "status": "affected",
        "version": "v01.12.10"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-250-03