CVE-2017-14923

Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://openwall.com/lists/oss-security/2017/09/28/11	Mailing List Patch Third Party Advisory
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786	Issue Tracking Patch Third Party Advisory
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b	Issue Tracking Patch Third Party Advisory
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b	Issue Tracking Patch Third Party Advisory
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases	Issue Tracking Release Notes Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tine20:tine_2.0:*:*:*:*:community:*:*:*

History

No history.

Information

Published : 2017-09-30 01:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-14923

Mitre link : CVE-2017-14923

CVE.ORG link : CVE-2017-14923

JSON object : View

Products Affected

tine20

tine_2.0

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2017-14923", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2017-09-30T01:29:01.990", "references": [{"url": "http://openwall.com/lists/oss-security/2017/09/28/11", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases", "tags": ["Issue Tracking", "Release Notes", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Stored XSS vulnerability via IMG element at \"Leadname\" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) persistente mediante un elemento IMG en \"Leadname\" de CRM en Time 2.0 Community Edition en versiones anteriores a la 2017.08.4 permite que un usuario autenticado inyecte c\u00f3digo JavaScript, el cual no se gestiona correctamente durante el renderizado por parte del administrador de la aplicaci\u00f3n u otros usuarios."}], "lastModified": "2017-10-05T16:49:06.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tine20:tine_2.0:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "B37AEE90-38C9-404F-8120-555D5DAD5AC1", "versionEndIncluding": "2017.08.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}