Sign-up

ID

VAR-201709-1051


CVE

CVE-2017-13754


TITLE

Wibu-Systems CodeMeter Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18 // CNVD: CNVD-2017-32459 // CNNVD: CNNVD-201709-058

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the "advanced settings - time server" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the "server name" field in actions/ChangeConfiguration.html. Wibu-Systems CodeMeter Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Wibu-Systems CodeMeter is a suite of anti-piracy protection products from Wibu-Systems, Germany for software protection against piracy and unsecure software. The product uses encryption technology and a small USB hardware device, CmStick, which has a 128KB secure amount of SmartCard chip for storing license and license related data. Wibu-Systems CodeMeter is prone to a cross-site scripting vulnerability because it fails to properly handle user-supplied input. An attacker can leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to CodeMeter 6.50b are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-13754 // JVNDB: JVNDB-2017-007768 // CNVD: CNVD-2017-32459 // BID: 104433 // IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18 // CNVD: CNVD-2017-32459

AFFECTED PRODUCTS

vendor:wibumodel:codemeterscope:lteversion:6.50a

Trust: 1.0

vendor:wibumodel:codemeterscope:ltversion:6.50b

Trust: 0.8

vendor:wibumodel:codemeter <6.50bscope: - version: -

Trust: 0.6

vendor:wibumodel:codemeterscope:eqversion:6.50a

Trust: 0.6

vendor:wibumodel:codemeter 6.50ascope: - version: -

Trust: 0.3

vendor:wibumodel:codemeter 4.50bscope: - version: -

Trust: 0.3

vendor:wibumodel:codemeterscope:eqversion:4.40

Trust: 0.3

vendor:wibumodel:codemeter 4.30dscope: - version: -

Trust: 0.3

vendor:wibumodel:codemeter 4.30cscope: - version: -

Trust: 0.3

vendor:wibumodel:codemeter 4.20bscope: - version: -

Trust: 0.3

vendor:rockwellmodel:automation studio view designerscope:eqversion:50000

Trust: 0.3

vendor:rockwellmodel:automation studio logix emulatescope:eqversion:50000

Trust: 0.3

vendor:rockwellmodel:automation studio logix designerscope:eqversion:50000

Trust: 0.3

vendor:rockwellmodel:automation studio architectscope:eqversion:50000

Trust: 0.3

vendor:rockwellmodel:automation softlogixscope:eqversion:58000

Trust: 0.3

vendor:rockwellmodel:automation rsview32scope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation rslogix5scope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation rslogix emulatescope:eqversion:50000

Trust: 0.3

vendor:rockwellmodel:automation rslogixscope:eqversion:5000

Trust: 0.3

vendor:rockwellmodel:automation rslinx classicscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation rsfieldbusscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk viewpointscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk view site editionscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk view machine editionscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk vantagepointscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk transaction managerscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk metricsscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk information serverscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk historian site editionscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk historian classicscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk gatewayscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk eprocedurescope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk energymetrixscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk batchscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk assetcentrescope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation factorytalk activation managerscope:eqversion:4.01

Trust: 0.3

vendor:rockwellmodel:automation factorytalk activation managerscope:eqversion:4.00

Trust: 0.3

vendor:rockwellmodel:automation factorytalk activation managerscope:eqversion:3.40

Trust: 0.3

vendor:rockwellmodel:automation emonitorscope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:automation arenascope:eqversion:0

Trust: 0.3

vendor:rockwellmodel:rsnetworxscope:eqversion:0

Trust: 0.3

vendor:rockwallmodel:automation rslogixscope:eqversion:50000

Trust: 0.3

vendor:wibumodel:codemeter 6.50bscope:neversion: -

Trust: 0.3

vendor:codemetermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18 // CNVD: CNVD-2017-32459 // BID: 104433 // JVNDB: JVNDB-2017-007768 // CNNVD: CNNVD-201709-058 // NVD: CVE-2017-13754

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-13754
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-13754
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-32459
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201709-058
value: LOW

Trust: 0.6

IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18
value: LOW

Trust: 0.2

nvd@nist.gov: CVE-2017-13754
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-32459
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-13754
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18 // CNVD: CNVD-2017-32459 // JVNDB: JVNDB-2017-007768 // CNNVD: CNNVD-201709-058 // NVD: CVE-2017-13754

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-007768 // NVD: CVE-2017-13754

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-058

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201709-058

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007768

PATCH
title:CodeMeterurl:http://www.wibu.com/codemeter.html
Trust: 0.8
title:Patch for Wibu-Systems CodeMeter Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/105240
Trust: 0.6
title:Wibu-Systems CodeMeter Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74525
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-32459 // 
            
            
            
            JVNDB: JVNDB-2017-007768 // 
            
            
            
            CNNVD: CNNVD-201709-058

EXTERNAL IDS
db:NVDid:CVE-2017-13754
Trust: 3.5
db:ICS CERTid:ICSA-18-102-02
Trust: 2.1
db:BIDid:104433
Trust: 1.3
db:EXPLOIT-DBid:42610
Trust: 1.0
db:CNVDid:CNVD-2017-32459
Trust: 0.8
db:CNNVDid:CNNVD-201709-058
Trust: 0.8
db:JVNDBid:JVNDB-2017-007768
Trust: 0.8
db:EXPLOITDBid:42610
Trust: 0.6
db:IVDid:05BED560-8AA3-476D-A0CB-40B1FDD83A18
Trust: 0.2
sources:
            
            
            IVD: 05bed560-8aa3-476d-a0cb-40b1fdd83a18 // 
            
            
            
            CNVD: CNVD-2017-32459 // 
            
            
            
            BID: 104433 // 
            
            
            
            JVNDB: JVNDB-2017-007768 // 
            
            
            
            CNNVD: CNNVD-201709-058 // 
            
            
            
            NVD: CVE-2017-13754

REFERENCES
url:https://www.vulnerability-lab.com/get_content.php?id=2074
Trust: 2.4
url:http://seclists.org/fulldisclosure/2017/sep/1
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2017-13754
Trust: 1.4
url:https://ics-cert.us-cert.gov/advisories/icsa-18-102-02
Trust: 1.3
url:http://www.securityfocus.com/archive/1/541119/100/0/threaded
Trust: 1.0
url:http://www.securityfocus.com/bid/104433
Trust: 1.0
url:https://www.exploit-db.com/exploits/42610/
Trust: 1.0
url:https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-13754
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-18-102-02
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/541119/100/0/threaded
Trust: 0.6
url:http://www.rockwellautomation.com/
Trust: 0.3
url:http://www.wibu.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-32459 // 
            
            
            
            BID: 104433 // 
            
            
            
            JVNDB: JVNDB-2017-007768 // 
            
            
            
            CNNVD: CNNVD-201709-058 // 
            
            
            
            NVD: CVE-2017-13754

CREDITS
Rockwell Automation
Trust: 0.3
sources:
            
            
            BID: 104433

SOURCES
db:IVDid:05bed560-8aa3-476d-a0cb-40b1fdd83a18
db:CNVDid:CNVD-2017-32459
db:BIDid:104433
db:JVNDBid:JVNDB-2017-007768
db:CNNVDid:CNNVD-201709-058
db:NVDid:CVE-2017-13754

LAST UPDATE DATE
2024-11-23T22:22:47.059000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-32459date:2017-11-02T00:00:00
db:BIDid:104433date:2018-05-10T00:00:00
db:JVNDBid:JVNDB-2017-007768date:2019-07-10T00:00:00
db:CNNVDid:CNNVD-201709-058date:2017-09-11T00:00:00
db:NVDid:CVE-2017-13754date:2024-11-21T03:11:35.880

SOURCES RELEASE DATE
db:IVDid:05bed560-8aa3-476d-a0cb-40b1fdd83a18date:2017-11-02T00:00:00
db:CNVDid:CNVD-2017-32459date:2017-11-02T00:00:00
db:BIDid:104433date:2018-05-10T00:00:00
db:JVNDBid:JVNDB-2017-007768date:2017-10-02T00:00:00
db:CNNVDid:CNNVD-201709-058date:2017-08-29T00:00:00
db:NVDid:CVE-2017-13754date:2017-09-07T13:29:00.620