CVE-2019-9834

{"id": "CVE-2019-9834", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-03-15T17:29:00.383", "references": [{"url": "https://github.com/netdata/netdata/issues/5800#issuecomment-510986112", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/46545", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://www.youtube.com/watch?v=zSG93yX0B8k", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot"}, {"lang": "es", "value": "** EN DISPUTA ** La aplicaci\u00f3n web Netdata, hasta la versi\u00f3n 1.13.0, permite que los atacantes remotos inyecten su propio c\u00f3digo HTML en una instant\u00e1nea importada. Esto tambi\u00e9n se conoce como inyecci\u00f3n HTML. Su explotaci\u00f3n con \u00e9xito permite que se ejecute HTML proporcionado por el atacante en el contexto del navegador afectado, pudiendo permitir al atacante robar las credenciales de autenticaci\u00f3n o controlar c\u00f3mo se renderiza el sitio al usuario. NOTA: el proveedor no est\u00e1 de acuerdo con el riesgo porque hay una advertencia clara junto al bot\u00f3n al importar una instant\u00e1nea."}], "lastModified": "2024-08-04T22:15:46.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC637690-4B20-4183-9C15-ECEC65272965", "versionEndIncluding": "1.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}