CVE-2014-4309

{"id": "CVE-2014-4309", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-06-18T14:55:13.883", "references": [{"url": "http://packetstormsecurity.com/files/127044/Openfiler-NAS-SAN-Appliance-2.99-XSS-Traversal-Command-Injection.html", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Openfiler 2.99 allow remote attackers to inject arbitrary web script or HTML via the (1) TinkerAjax parameter to uptime.html, or remote authenticated users to inject arbitrary web script or HTML via the (2) MaxInstances, (3) PassivePorts, (4) Port, (5) ServerName, (6) TimeoutLogin, (7) TimeoutNoTransfer, or (8) TimeoutStalled parameter to admin/services_ftp.html; the (9) dns1 or (10) dns2 parameter to admin/system.html; the (11) newTgtName parameter to admin/volumes_iscsi_targets.html; the User-Agent HTTP header to (12) language.html, (13) login.html, or (14) password.html in account/; or the User-Agent HTTP header to (15) account_groups.html, (16) account_users.html, (17) services.html, (18) services_ftp.html, (19) services_iscsi_target.html, (20) services_rsync.html, (21) system_clock.html, (22) system_info.html, (23) system_ups.html, (24) volumes_editpartitions.html, or (25) volumes_iscsi_targets.html in admin/."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de tipo cross-site-scripting (XSS) en Openfiler versi\u00f3n 2.99, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro (1) TinkerAjax en el archivo uptime.html, o a los usuarios autenticados remotamente inyectar script web o HTML arbitrario por medio del par\u00e1metro (2) MaxInstances, (3) PassivePorts, (4) Port, (5) ServerName, (6) TimeoutLogin, (7) TimeoutNoTransfer o (8) TimeoutStalled en el archivo admin/services_ftp.html; el par\u00e1metro (9) dns1 o (10) dns2 en el archivo admin/system.html; el par\u00e1metro (11) newTgtName en el archivo admin/volumes_iscsi_targets.html; el encabezado HTTP User-Agent en el archivo (12) language.html, (13) login.html o (14) password.html en account/; o el encabezado HTTP User-Agent en el archivo (15) account_groups.html, (16) account_users.html, (17) services.html, (18) services_ftp.html, (19) services_iscsi_target.html, (20) services_rsync.html, (21) system_clock.html, (22) system_info.html, (23) system_ ups.html, (24) volumes_editpartitions.html o (25) volumes_iscsi_targets.html en admin/."}], "lastModified": "2014-06-21T04:42:02.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openfiler:openfiler:2.99:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2254BCD1-ED50-466B-AB16-1E1790CCDA18"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}