CVE-2018-13000

{"id": "CVE-2018-13000", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2018-06-29T14:29:00.213", "references": [{"url": "https://www.vulnerability-lab.com/get_content.php?id=2123", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS issue was discovered in Advanced Electron Forum (AEF) v1.0.9. A persistent XSS vulnerability is located in the `FTP Link` element of the `Private Message` module. The editor of the private message module allows inserting links without sanitizing the content. This allows remote attackers to inject malicious script code payloads as a private message (aka pmbody). The injection point is the editor ftp link element and the execution point occurs in the message body context on arrival. The request method to inject is POST with restricted user privileges."}, {"lang": "es", "value": "Se ha descubierto un problema de Cross-Site Scripting (XSS) en Advanced Electron Forum (AEF) v1.0.9. Una vulnerabilidad Cross-Site Scripting (XSS) persistente se encuentra en el elemento \"FTP Link\" del m\u00f3dulo \"Private Message\". El editor del m\u00f3dulo de mensajes privados permite insertar enlaces sin sanear el contenido. Esto permite a los atacantes remotos inyectar cargas \u00fatiles de c\u00f3digo script malicioso como un mensaje privado (tambi\u00e9n conocido como pmbody). El punto de inyecci\u00f3n es el elemento de enlace ftp del editor y el punto de ejecuci\u00f3n se produce en el contexto del cuerpo del mensaje a la llegada. El m\u00e9todo request que hay que inyectar es POST con privilegios de usuario restringidos."}], "lastModified": "2018-08-20T11:57:13.423", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anelectron:advanced_electron_forum:1.0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "049F0620-424A-402B-8247-BEACFC733443"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}