CVE-2017-16635

{"id": "CVE-2017-16635", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2017-11-06T22:29:00.413", "references": [{"url": "https://www.vulnerability-lab.com/get_content.php?id=1997", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create."}, {"lang": "es", "value": "En TinyWebGallery v2.4, una vulnerabilidad XSS se localiza en los par\u00e1metros \"mkname\", \"mkitem\" e \"item\" del m\u00f3dulo \"Add/Create\". Los atacantes remotos con cuentas de usuario con pocos privilegios para el acceso backend son capaces de inyectar c\u00f3digos script maliciosos en el listado de \u00edtems \"TWG Explorer\". El m\u00e9todo de petici\u00f3n que se tendr\u00eda que inyectar es POST y el vector de ataque se sit\u00faa en el lado de la aplicaci\u00f3n del servicio. El punto de inyecci\u00f3n es el campo de entrada add/create y el punto de ejecuci\u00f3n ocurre en el listado de \u00edtems tras la adici\u00f3n o la creaci\u00f3n."}], "lastModified": "2017-11-29T14:56:53.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tinywebgallery:tinywebgallery:2.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C41219AB-64EB-43BF-90E9-B86EB115998E"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}