CVE-2018-13002

{"id": "CVE-2018-13002", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2018-06-29T14:29:00.307", "references": [{"url": "https://www.vulnerability-lab.com/get_content.php?id=2121", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS issue was discovered in Inhaltsprojekte in Weblication CMS Core & Grid v12.6.24. The vulnerability is located in the `wFilemanager.php` and `index.php` files of the `/grid5/scripts/` modules. The injection point is located in the Project `Title` and the execution point occurs in the `Inhaltsprojekte` output listing section. Remote attackers with privileged user accounts are able to inject their own malicious script code with a persistent attack vector to compromise user session credentials or to manipulate the affected web-application module output context. The request method to inject is POST."}, {"lang": "es", "value": "Se ha descubierto un problema de Cross-Site Scripting (XSS) en Inhaltsprojekte en Weblication CMS Core Grid v12.6.24. La vulnerabilidad se encuentra en los archivos \"wFilemanager.php\" e \"index.php\" de los m\u00f3dulos \"/grid5/scripts/\". El punto de inyecci\u00f3n se encuentra en el proyecto \"Title\" y el punto de ejecuci\u00f3n se encuentra en la secci\u00f3n de listado de salida \"Inhaltsprojekte\". Los atacantes remotos con cuentas de usuario privilegiadas pueden inyectar su propio c\u00f3digo script malicioso con un vector de ataque persistente para comprometer las credenciales de sesi\u00f3n del usuario o para manipular el contexto de salida del m\u00f3dulo de la aplicaci\u00f3n web afectada. El m\u00e9todo request que se tiene que inyectar es POST."}], "lastModified": "2018-08-20T12:00:30.287", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weblication:cms_core_\\&_grid:12.6.24:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17BDBE7F-1897-4A50-A4CC-4C54A90FCD3F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}