CVE-2013-6233

Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata."

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.exploit-db.com/exploits/32039	Exploit
http://packetstormsecurity.com/files/125496	Exploit
http://www.securityfocus.com/bid/65915
https://exchange.xforce.ibmcloud.com/vulnerabilities/91506
http://www.securityfocus.com/archive/1/531322/100/0/threaded

Configurations

Configuration 1 (hide)

cpe:2.3:a:eng:spagobi:*:*:*:*:*:*:*:*

Information

Published : 2014-03-09 06:16

Updated : 2018-10-09 12:34

NVD link : CVE-2013-6233

Mitre link : CVE-2013-6233

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

eng

spagobi

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.exploit-db.com/exploits/32039", "name": "32039", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://packetstormsecurity.com/files/125496", "name": "http://packetstormsecurity.com/files/125496", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/65915", "name": "65915", "tags": [], "refsource": "BID"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91506", "name": "spagobi-cve20136233-xss(91506)", "tags": [], "refsource": "XF"}, {"url": "http://www.securityfocus.com/archive/1/531322/100/0/threaded", "name": "20140301 [CVE-2013-6233] Persistent HTML Script Insertion permits offsite-bound forms in SpagoBI v4.0", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the \"Short document metadata.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-6233", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2014-03-09T13:16Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:eng:spagobi:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "4.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-09T19:34Z"}

4.3 /10