Lucene search

INCIBECVELIST:CVE-2023-6098

HistoryNov 13, 2023 - 1:13 p.m.

CVE-2023-6098 Cross-site Scripting on ICSSolution ICS Business Manager

2023-11-1313:13:26

CWE-79

INCIBE

www.cve.org

cross-site scripting

remote attacker

special crafted string

obdd_act parameter

authenticated user's session

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.4%

JSON

An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd_act parameter, allowing the attacker to steal an authenticated user’s session, and perform actions within the application.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ICS Business Manager",
    "vendor": "ICSSolution",
    "versions": [
      {
        "status": "affected",
        "version": "7.06.0028.7066"
      },
      {
        "status": "affected",
        "version": "7.06.0028.2802"
      }
    ]
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager