Details of VAR-201512-0081

ID

VAR-201512-0081

CVE

CVE-2015-6005

TITLE

IPswitch WhatsUp Gold contains multiple XSS vulnerabilities and a SQLi

Trust: 0.8

sources: CERT/CC: VU#176160

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names field, (5) the Flow Monitor Credentials field, (6) the Flow Monitor Threshold Name field, (7) the Task Library Name field, (8) the Task Library Description field, (9) the Policy Library Name field, (10) the Policy Library Description field, (11) the Template Library Name field, (12) the Template Library Description field, (13) the System Script Library Name field, (14) the System Script Library Description field, or (15) the CLI Settings Library Description field. IPSwitch WhatsUp Gold Contains a cross-site scripting vulnerability.By any third party, via Web Script or HTML May be inserted. Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. Ipswitch WhatsUp Gold is a set of unified infrastructure and application monitoring software from Ipswitch in the United States. The software supports the performance management of networks, servers, virtual environments and applications

Trust: 2.7

sources: NVD: CVE-2015-6005 // CERT/CC: VU#176160 // JVNDB: JVNDB-2015-006530 // BID: 79506 // VULHUB: VHN-83966

AFFECTED PRODUCTS

vendor:	progress	model:	whatsup gold	scope:	lte	version:	16.3	Trust: 1.0
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	16.3	Trust: 0.9
vendor:	ipswitch	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ipswitch	model:	whatsup gold	scope:	lt	version:	16.4	Trust: 0.8
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	14.4.2	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	14.2	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	15.0.2	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	15.02	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	15.0.1	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	14.4.1	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	14.4	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	15.0	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	ne	version:	16.4.1	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	15.0.3	Trust: 0.3
vendor:	ipswitch	model:	whatsup gold	scope:	eq	version:	14.3	Trust: 0.3

sources: CERT/CC: VU#176160 // BID: 79506 // JVNDB: JVNDB-2015-006530 // CNNVD: CNNVD-201512-525 // NVD: CVE-2015-6005

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6005
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-6005
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201512-525
value:	LOW
Trust: 0.6
VULHUB:	VHN-83966
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2015-6005
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-83966
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-6005
baseSeverity:	MEDIUM
baseScore:	6.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	4.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-83966 // JVNDB: JVNDB-2015-006530 // CNNVD: CNNVD-201512-525 // NVD: CVE-2015-6005

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-83966 // JVNDB: JVNDB-2015-006530 // NVD: CVE-2015-6005

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201512-525

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201512-525

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006530

PATCH

title:	WhatsUp Gold	url:	http://www.whatsupgold.com/jp/	Trust: 0.8
title:	Twitter	url:	http://twitter.com/ipswitch/statuses/677558623229317121	Trust: 0.8
title:	Ipswitch WhatsUp GoldV16.4	url:	http://www.whatsupgold.com/jp/products/whatsup-gold.aspx	Trust: 0.8
title:	Ipswitch WhatsUp Gold Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59301	Trust: 0.6

sources: JVNDB: JVNDB-2015-006530 // CNNVD: CNNVD-201512-525

EXTERNAL IDS

db:	CERT/CC	id:	VU#176160	Trust: 3.6
db:	NVD	id:	CVE-2015-6005	Trust: 2.8
db:	BID	id:	79506	Trust: 2.0
db:	SECTRACK	id:	1034833	Trust: 1.1
db:	JVN	id:	JVNVU94212028	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-006530	Trust: 0.8
db:	CNNVD	id:	CNNVD-201512-525	Trust: 0.6
db:	VULHUB	id:	VHN-83966	Trust: 0.1

sources: CERT/CC: VU#176160 // VULHUB: VHN-83966 // BID: 79506 // JVNDB: JVNDB-2015-006530 // CNNVD: CNNVD-201512-525 // NVD: CVE-2015-6005

REFERENCES

url:	https://www.kb.cert.org/vuls/id/176160	Trust: 2.8
url:	https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems	Trust: 2.5
url:	http://www.securityfocus.com/bid/79506	Trust: 1.7
url:	http://twitter.com/ipswitch/statuses/677558623229317121	Trust: 1.7
url:	http://www.securitytracker.com/id/1034833	Trust: 1.1
url:	about vulnerability notes	Trust: 0.8
url:	contact us about this vulnerability	Trust: 0.8
url:	provide a vendor statement	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6005	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu94212028/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6005	Trust: 0.8
url:	http://www.whatsupgold.com/	Trust: 0.3

sources: CERT/CC: VU#176160 // VULHUB: VHN-83966 // BID: 79506 // JVNDB: JVNDB-2015-006530 // CNNVD: CNNVD-201512-525 // NVD: CVE-2015-6005

CREDITS

Noam Rathaus, Owen Shearing of 7Safe Ltd., and Rapid7

Trust: 0.9

sources: BID: 79506 // CNNVD: CNNVD-201512-525

SOURCES

db:	CERT/CC	id:	VU#176160
db:	VULHUB	id:	VHN-83966
db:	BID	id:	79506
db:	JVNDB	id:	JVNDB-2015-006530
db:	CNNVD	id:	CNNVD-201512-525
db:	NVD	id:	CVE-2015-6005

LAST UPDATE DATE

2024-11-23T21:54:46.851000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#176160	date:	2015-12-27T00:00:00
db:	VULHUB	id:	VHN-83966	date:	2016-12-06T00:00:00
db:	BID	id:	79506	date:	2015-12-16T00:00:00
db:	JVNDB	id:	JVNDB-2015-006530	date:	2016-01-13T00:00:00
db:	CNNVD	id:	CNNVD-201512-525	date:	2015-12-28T00:00:00
db:	NVD	id:	CVE-2015-6005	date:	2024-11-21T02:34:16.830

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#176160	date:	2015-12-16T00:00:00
db:	VULHUB	id:	VHN-83966	date:	2015-12-27T00:00:00
db:	BID	id:	79506	date:	2015-12-16T00:00:00
db:	JVNDB	id:	JVNDB-2015-006530	date:	2016-01-04T00:00:00
db:	CNNVD	id:	CNNVD-201512-525	date:	2015-12-18T00:00:00
db:	NVD	id:	CVE-2015-6005	date:	2015-12-27T03:59:01.097