Lucene search

[email protected]NVD:CVE-2020-23450

HistorySep 01, 2020 - 4:15 p.m.

CVE-2020-23450

2020-09-0116:15:12

CWE-79

[email protected]

web.nvd.nist.gov

spiceworks

version 7.5.00107

xss

custom groups

stored xss

output sanitization

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

26.4%

JSON

Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization.

Affected configurations

Nvd

Node

spiceworksspiceworksRange≤7.5.00107

VendorProductVersionCPE
spiceworksspiceworks*cpe:2.3:a:spiceworks:spiceworks:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
spiceworks	spiceworks	*	cpe:2.3:a:spiceworks:spiceworks::::::::

References

spiceworks.com

abuyv.com

abuyv.com/cve/spiceworks-stored-xss

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

26.4%

JSON

Related for NVD:CVE-2020-23450

prion1 cvelist1 cve1