Details of VAR-201703-0894

ID

VAR-201703-0894

CVE

CVE-2017-3866

TITLE

Cisco Prime Service Catalog of Web Cross-site scripting vulnerability in framework code

Trust: 0.8

sources: JVNDB: JVNDB-2017-002457

DESCRIPTION

A vulnerability in the web framework code of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. More Information: CSCvc79842 CSCvc79846 CSCvc79855 CSCvc79873 CSCvc79882 CSCvc79891. Known Affected Releases: 11.1.2. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. These issues are being tracked by Cisco Bug IDs CSCvc79842, CSCvc79846, CSCvc79855, CSCvc79873, CSCvc79882, and CSCvc79891. The solution supports automated ordering of a unified service catalog of computing, networking, storage, and other data center resources. The vulnerability stems from the fact that the program does not fully verify the parameters passed to the Web server

Trust: 1.98

sources: NVD: CVE-2017-3866 // JVNDB: JVNDB-2017-002457 // BID: 96917 // VULHUB: VHN-112069

AFFECTED PRODUCTS

vendor:	cisco	model:	prime service catalog	scope:	eq	version:	11.1.2	Trust: 2.7
vendor:	cisco	model:	prime service catalog	scope:	eq	version:	11.1_base	Trust: 1.6
vendor:	cisco	model:	prime service catalog	scope:	ne	version:	12.0	Trust: 0.3

sources: BID: 96917 // JVNDB: JVNDB-2017-002457 // CNNVD: CNNVD-201703-849 // NVD: CVE-2017-3866

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3866
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-3866
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201703-849
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112069
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-3866
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-112069
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3866
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0
NVD:	CVE-2017-3866
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-112069 // JVNDB: JVNDB-2017-002457 // CNNVD: CNNVD-201703-849 // NVD: CVE-2017-3866

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-112069 // JVNDB: JVNDB-2017-002457 // NVD: CVE-2017-3866

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-849

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-849

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-002457

PATCH

title:	cisco-sa-20170315-psc	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-psc	Trust: 0.8
title:	Cisco Prime Service Catalog Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68641	Trust: 0.6

sources: JVNDB: JVNDB-2017-002457 // CNNVD: CNNVD-201703-849

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3866	Trust: 2.8
db:	BID	id:	96917	Trust: 1.4
db:	SECTRACK	id:	1038045	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-002457	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-849	Trust: 0.7
db:	VULHUB	id:	VHN-112069	Trust: 0.1

sources: VULHUB: VHN-112069 // BID: 96917 // JVNDB: JVNDB-2017-002457 // CNNVD: CNNVD-201703-849 // NVD: CVE-2017-3866

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170315-psc	Trust: 1.7
url:	http://www.securityfocus.com/bid/96917	Trust: 1.1
url:	http://www.securitytracker.com/id/1038045	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3866	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3866	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://software.cisco.com/download/navigator.html?mdfid=284870957	Trust: 0.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170315-psc	Trust: 0.3

sources: VULHUB: VHN-112069 // BID: 96917 // JVNDB: JVNDB-2017-002457 // CNNVD: CNNVD-201703-849 // NVD: CVE-2017-3866

CREDITS

Cisco

Trust: 0.3

sources: BID: 96917

SOURCES

db:	VULHUB	id:	VHN-112069
db:	BID	id:	96917
db:	JVNDB	id:	JVNDB-2017-002457
db:	CNNVD	id:	CNNVD-201703-849
db:	NVD	id:	CVE-2017-3866

LAST UPDATE DATE

2024-11-23T22:30:49.983000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112069	date:	2017-07-12T00:00:00
db:	BID	id:	96917	date:	2017-03-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-002457	date:	2017-04-14T00:00:00
db:	CNNVD	id:	CNNVD-201703-849	date:	2017-03-20T00:00:00
db:	NVD	id:	CVE-2017-3866	date:	2024-11-21T03:26:16.550

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112069	date:	2017-03-17T00:00:00
db:	BID	id:	96917	date:	2017-03-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-002457	date:	2017-04-14T00:00:00
db:	CNNVD	id:	CNNVD-201703-849	date:	2017-03-20T00:00:00
db:	NVD	id:	CVE-2017-3866	date:	2017-03-17T22:59:00.220