CVE-2014-3110

Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://ics-cert.us-cert.gov/advisories/ICSA-14-175-01	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/68838
https://www.exploit-db.com/exploits/44749/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:h:honeywell:falcon_xlweb_linux_controller::::::::
	cpe:2.3:h:honeywell:falcon_xlweb_xlwebexe::::::::

History

No history.

Information

Published : 2014-07-24 14:55

Updated : 2024-02-04 18:35

NVD link : CVE-2014-3110

Mitre link : CVE-2014-3110

CVE.ORG link : CVE-2014-3110

JSON object : View

Products Affected

honeywell

falcon_xlweb_linux_controller
falcon_xlweb_xlwebexe

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2014-3110", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-07-24T14:55:07.487", "references": [{"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-175-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/68838", "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/44749/", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en los dispositivos controladores Honeywell FALCON XLWeb Linux 2.04.01 y anteriores y los dispositivos controladores FALCON XLWeb XLWebExe 2.02.11 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrariios a trav\u00e9s de entradas inv\u00e1lidas."}], "lastModified": "2018-05-27T01:29:00.247", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:honeywell:falcon_xlweb_linux_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DCD8DDD2-BB5C-4EB4-9475-67F5B6341DBD", "versionEndIncluding": "2.04.01"}, {"criteria": "cpe:2.3:h:honeywell:falcon_xlweb_xlwebexe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33EAB24D-D7D1-46B5-9740-3A33425AE027", "versionEndIncluding": "2.02.11"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}