CVE-2017-8000

{"id": "CVE-2017-8000", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2017-07-17T14:29:01.107", "references": [{"url": "http://seclists.org/fulldisclosure/2017/Jul/25", "tags": ["Mailing List", "Third Party Advisory"], "source": "security_alert@emc.com"}, {"url": "http://www.securityfocus.com/bid/99572", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security_alert@emc.com"}, {"url": "http://www.securitytracker.com/id/1038878", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA Security Console Administrator could craft a token profile and store the profile name in the RSA Authentication Manager database. The profile name could include a crafted script (with an XSS payload) that could be executed when viewing or editing the assigned token profile in the token by another administrator's browser session."}, {"lang": "es", "value": "En RSA Authentication Manager versi\u00f3n 8.2 SP1 y anteriores de EMC, un Administrador de la Consola de Seguridad de RSA malicioso podr\u00eda crear un perfil de token y almacenar el nombre del perfil en la base de datos de RSA Authentication Manager. El nombre del perfil podr\u00eda incluir un script creado (con una carga de tipo XSS) que podr\u00eda ser ejecutada al visualizar o editar el perfil del token asignado en el token por la sesi\u00f3n del navegador de otro administrador."}], "lastModified": "2017-08-10T22:23:11.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emc:rsa_authentication_manager:*:sp1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A7D03E1-0EEF-4E76-ADEF-39A302C6DD13", "versionEndIncluding": "8.2"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}