Sign-up

ID

VAR-201705-3936


CVE

CVE-2017-7296


TITLE

Contiki Operating System Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-004443

DESCRIPTION

An issue was discovered in Contiki Operating System 3.0. A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of cc26xx-web-demo. The cc26xx-web-demo features a webserver that runs on a constrained device. That particular page allows a user to remotely configure that device's operation by sending HTTP POST requests. The vulnerability consists of improper input sanitisation of the text fields on the MQTT/IBM Cloud config page, allowing for JavaScript code injection. Contiki Operating System Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Contiki is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Contiki 3.0 is vulnerable; other versions may also be affected

Trust: 1.89

sources: NVD: CVE-2017-7296 // JVNDB: JVNDB-2017-004443 // BID: 98790

AFFECTED PRODUCTS

vendor:contiki osmodel:contikiscope:eqversion:3.0

Trust: 1.6

vendor:contikimodel:operating systemscope:eqversion:3.0

Trust: 0.8

vendor:contikimodel:contikiscope:eqversion:3.0

Trust: 0.3

sources: BID: 98790 // JVNDB: JVNDB-2017-004443 // CNNVD: CNNVD-201703-1233 // NVD: CVE-2017-7296

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7296
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-7296
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-1233
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-7296
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2017-7296
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2017-004443 // CNNVD: CNNVD-201703-1233 // NVD: CVE-2017-7296

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-004443 // NVD: CVE-2017-7296

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1233

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-1233

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-004443

PATCH
title:Top Pageurl:http://www.contiki-os.org/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-004443

EXTERNAL IDS
db:NVDid:CVE-2017-7296
Trust: 2.7
db:BIDid:98790
Trust: 1.3
db:JVNDBid:JVNDB-2017-004443
Trust: 0.8
db:CNNVDid:CNNVD-201703-1233
Trust: 0.6
sources:
            
            
            BID: 98790 // 
            
            
            
            JVNDB: JVNDB-2017-004443 // 
            
            
            
            CNNVD: CNNVD-201703-1233 // 
            
            
            
            NVD: CVE-2017-7296

REFERENCES
url:https://gist.github.com/jackmcbride/c9328627f1ee104ce84f3fb7eff42f1e
Trust: 2.7
url:http://www.securityfocus.com/bid/98790
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7296
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-7296
Trust: 0.8
url:http://www.contiki-os.org/
Trust: 0.3
sources:
            
            
            BID: 98790 // 
            
            
            
            JVNDB: JVNDB-2017-004443 // 
            
            
            
            CNNVD: CNNVD-201703-1233 // 
            
            
            
            NVD: CVE-2017-7296

CREDITS
Jack McBride
Trust: 0.3
sources:
            
            
            BID: 98790

SOURCES
db:BIDid:98790
db:JVNDBid:JVNDB-2017-004443
db:CNNVDid:CNNVD-201703-1233
db:NVDid:CVE-2017-7296

LAST UPDATE DATE
2024-11-23T21:54:02.238000+00:00

SOURCES UPDATE DATE
db:BIDid:98790date:2017-05-27T00:00:00
db:JVNDBid:JVNDB-2017-004443date:2017-06-26T00:00:00
db:CNNVDid:CNNVD-201703-1233date:2017-06-06T00:00:00
db:NVDid:CVE-2017-7296date:2024-11-21T03:31:34.063

SOURCES RELEASE DATE
db:BIDid:98790date:2017-05-27T00:00:00
db:JVNDBid:JVNDB-2017-004443date:2017-06-26T00:00:00
db:CNNVDid:CNNVD-201703-1233date:2017-03-29T00:00:00
db:NVDid:CVE-2017-7296date:2017-05-28T00:29:00.420