Details of VAR-201509-0217

ID

VAR-201509-0217

CVE

CVE-2015-6466

TITLE

Moxa Industrial Managed Switch Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: 76a28eb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05846

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Diagnosis Ping feature in the administrative web interface on Moxa EDS-405A and EDS-408A switches with firmware before 3.6 allows remote attackers to inject arbitrary web script or HTML via an unspecified field. Moxa EDS-405A/EDS-408A is an Ethernet switch series. Moxa EDS-405A/EDS-408A Series Switches are prone to the following multiple security vulnerabilities: 1. A remote privilege-escalation vulnerability 2. A cross-site scripting vulnerability 3. A denial-of-service vulnerability Attackers can exploit these issues to cause a denial-of-service condition, gain elevated privileges or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.7

sources: NVD: CVE-2015-6466 // JVNDB: JVNDB-2015-004694 // CNVD: CNVD-2015-05846 // BID: 76612 // IVD: 76a28eb0-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-84427

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 76a28eb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05846

AFFECTED PRODUCTS

vendor:	moxa	model:	eds-405a	scope:	lte	version:	3.4	Trust: 1.0
vendor:	moxa	model:	eds-408a	scope:	lte	version:	3.4	Trust: 1.0
vendor:	moxa	model:	eds-405a series	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-405a series	scope:	lt	version:	3.6	Trust: 0.8
vendor:	moxa	model:	eds-408a series	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-408a series	scope:	lt	version:	3.6	Trust: 0.8
vendor:	moxa	model:	eds-405a/eds-408a	scope:	-	version:	-	Trust: 0.6
vendor:	moxa	model:	eds-408a	scope:	eq	version:	3.4	Trust: 0.6
vendor:	moxa	model:	eds-405a	scope:	eq	version:	3.4	Trust: 0.6
vendor:	moxa	model:	eds-408a series build	scope:	eq	version:	3.414031419	Trust: 0.3
vendor:	moxa	model:	eds-405a series build	scope:	eq	version:	3.414031419	Trust: 0.3
vendor:	eds 405a	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	eds 408a	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 76a28eb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05846 // BID: 76612 // JVNDB: JVNDB-2015-004694 // CNNVD: CNNVD-201509-146 // NVD: CVE-2015-6466

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6466
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-6466
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-05846
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201509-146
value:	MEDIUM
Trust: 0.6
IVD:	76a28eb0-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-84427
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-6466
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-05846
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	76a28eb0-2351-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-84427
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 76a28eb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05846 // VULHUB: VHN-84427 // JVNDB: JVNDB-2015-004694 // CNNVD: CNNVD-201509-146 // NVD: CVE-2015-6466

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-84427 // JVNDB: JVNDB-2015-004694 // NVD: CVE-2015-6466

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-146

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201509-146

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004694

PATCH

title:	EDS-405A/408A シリーズ	url:	http://japan.moxa.com/product/EDS-408405A.htm	Trust: 0.8
title:	The Latest firmware for EDS-405A series	url:	http://www.moxa.com/support/download.aspx?type=support&id=328	Trust: 0.8
title:	Patch for Moxa Industrial Managed Switch Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/63692	Trust: 0.6
title:	EDS405A_V3.6	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57733	Trust: 0.6

sources: CNVD: CNVD-2015-05846 // JVNDB: JVNDB-2015-004694 // CNNVD: CNNVD-201509-146

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6466	Trust: 3.6
db:	ICS CERT	id:	ICSA-15-246-03	Trust: 3.4
db:	CNNVD	id:	CNNVD-201509-146	Trust: 0.9
db:	CNVD	id:	CNVD-2015-05846	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-004694	Trust: 0.8
db:	BID	id:	76612	Trust: 0.3
db:	IVD	id:	76A28EB0-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-84427	Trust: 0.1

sources: IVD: 76a28eb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05846 // VULHUB: VHN-84427 // BID: 76612 // JVNDB: JVNDB-2015-004694 // CNNVD: CNNVD-201509-146 // NVD: CVE-2015-6466

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-246-03	Trust: 3.4
url:	http://www.moxa.com/support/download.aspx?type=support&id=328	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6466	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6466	Trust: 0.8
url:	http://store.moxa.com/a/product/eds-405a-408a-series?id=m20090312047	Trust: 0.3
url:	http://www.moxa.com/support/download.aspx?type=support&id=328	Trust: 0.1

sources: CNVD: CNVD-2015-05846 // VULHUB: VHN-84427 // BID: 76612 // JVNDB: JVNDB-2015-004694 // CNNVD: CNNVD-201509-146 // NVD: CVE-2015-6466

CREDITS

Erwin Paternotte of Applied Risk

Trust: 0.3

sources: BID: 76612

SOURCES

db:	IVD	id:	76a28eb0-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-05846
db:	VULHUB	id:	VHN-84427
db:	BID	id:	76612
db:	JVNDB	id:	JVNDB-2015-004694
db:	CNNVD	id:	CNNVD-201509-146
db:	NVD	id:	CVE-2015-6466

LAST UPDATE DATE

2024-11-23T21:54:51.013000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-05846	date:	2015-09-09T00:00:00
db:	VULHUB	id:	VHN-84427	date:	2015-09-14T00:00:00
db:	BID	id:	76612	date:	2015-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-004694	date:	2015-09-15T00:00:00
db:	CNNVD	id:	CNNVD-201509-146	date:	2015-09-14T00:00:00
db:	NVD	id:	CVE-2015-6466	date:	2024-11-21T02:35:01.353

SOURCES RELEASE DATE

db:	IVD	id:	76a28eb0-2351-11e6-abef-000c29c66e3d	date:	2015-09-09T00:00:00
db:	CNVD	id:	CNVD-2015-05846	date:	2015-09-09T00:00:00
db:	VULHUB	id:	VHN-84427	date:	2015-09-11T00:00:00
db:	BID	id:	76612	date:	2015-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-004694	date:	2015-09-15T00:00:00
db:	CNNVD	id:	CNNVD-201509-146	date:	2015-09-14T00:00:00
db:	NVD	id:	CVE-2015-6466	date:	2015-09-11T16:59:10.423