Sign-up

ID

VAR-201903-0187


CVE

CVE-2019-6565


TITLE

Moxa IKS and EDS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-002201

DESCRIPTION

Moxa IKS and EDS fails to properly validate user input, giving unauthenticated and authenticated attackers the ability to perform XSS attacks, which may be used to send a malicious script. Moxa IKS and EDS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. MoxaIKS and EDS are Moxa's line of industrial switches. A cross-site scripting vulnerability exists in the MoxaIKS and EDS series. The vulnerability stems from a failure to properly validate user input. An attacker could exploit this vulnerability for a cross-site scripting attack. A cross-site-scripting vulnerability 2. Multiple stack-based buffer-overflow vulnerabilities 3. A security vulnerability 4. An information disclosure vulnerability 5. Multiple denial-of-service vulnerabilities 7. A security-bypass vulnerability 8. An authentication bypass vulnerability An attacker may leverage these issues to view arbitrary files within the context of the web server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, compromise the application, access or modify data, reboot or crash of the application resulting in a denial of service condition, bypass security restrictions, or execute arbitrary code. This may lead to other vulnerabilities. The following Moxa products and versions are affected: IKS-G6824A series versions 4.5 and prior, EDS-405A series versions 3.8 and prior, EDS-408A series versions 3.8 and prior, and EDS-510A series versions 3.8 and prior. Moxa IKS-G6824A series are all products of Moxa Company in Taiwan, China. IKS-G6824A series is a series of rack-mount Ethernet switches. EDS-405A series is an EDS-405A series Ethernet switch. EDS-408A series is an EDS-408A series Ethernet switch

Trust: 2.79

sources: NVD: CVE-2019-6565 // JVNDB: JVNDB-2019-002201 // CNVD: CNVD-2019-06178 // BID: 107178 // IVD: 709e83c1-c0d8-464a-b6c8-07e965ae9b94 // VULHUB: VHN-158000 // VULMON: CVE-2019-6565

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 709e83c1-c0d8-464a-b6c8-07e965ae9b94 // CNVD: CNVD-2019-06178

AFFECTED PRODUCTS

vendor:moxamodel:eds-405ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-408ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:iks-g6824ascope:lteversion:4.5

Trust: 1.0

vendor:moxamodel:eds-510ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-405a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-408a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-510a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824ascope:lteversion:<=4.5

Trust: 0.6

vendor:moxamodel:eds-405ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-408ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-510ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:iks-g6824ascope:eqversion:4.5

Trust: 0.3

vendor:moxamodel:eds-510ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-408ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-405ascope:eqversion:3.8

Trust: 0.3

vendor:iks g6824amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 405amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 408amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 510amodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 709e83c1-c0d8-464a-b6c8-07e965ae9b94 // CNVD: CNVD-2019-06178 // BID: 107178 // JVNDB: JVNDB-2019-002201 // NVD: CVE-2019-6565

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6565
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-6565
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-06178
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201902-961
value: MEDIUM

Trust: 0.6

IVD: 709e83c1-c0d8-464a-b6c8-07e965ae9b94
value: MEDIUM

Trust: 0.2

VULHUB: VHN-158000
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-6565
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-6565
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-06178
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 709e83c1-c0d8-464a-b6c8-07e965ae9b94
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-158000
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-6565
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2019-6565
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 709e83c1-c0d8-464a-b6c8-07e965ae9b94 // CNVD: CNVD-2019-06178 // VULHUB: VHN-158000 // VULMON: CVE-2019-6565 // JVNDB: JVNDB-2019-002201 // CNNVD: CNNVD-201902-961 // NVD: CVE-2019-6565

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-158000 // JVNDB: JVNDB-2019-002201 // NVD: CVE-2019-6565

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-961

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201902-961

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002201

PATCH
title:Top Pageurl:https://www.moxa.com/en/
Trust: 0.8
title:Patch for MoxaIKS and EDS Cross-Site Scripting Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/155215
Trust: 0.6
title:Multiple Moxa Fixes for product cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89676
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-06178 // 
            
            
            
            JVNDB: JVNDB-2019-002201 // 
            
            
            
            CNNVD: CNNVD-201902-961

EXTERNAL IDS
db:NVDid:CVE-2019-6565
Trust: 3.7
db:ICS CERTid:ICSA-19-057-01
Trust: 3.5
db:BIDid:107178
Trust: 2.1
db:CNNVDid:CNNVD-201902-961
Trust: 0.9
db:CNVDid:CNVD-2019-06178
Trust: 0.8
db:JVNDBid:JVNDB-2019-002201
Trust: 0.8
db:AUSCERTid:ESB-2019.0597
Trust: 0.6
db:IVDid:709E83C1-C0D8-464A-B6C8-07E965AE9B94
Trust: 0.2
db:VULHUBid:VHN-158000
Trust: 0.1
db:VULMONid:CVE-2019-6565
Trust: 0.1
sources:
            
            
            IVD: 709e83c1-c0d8-464a-b6c8-07e965ae9b94 // 
            
            
            
            CNVD: CNVD-2019-06178 // 
            
            
            
            VULHUB: VHN-158000 // 
            
            
            
            VULMON: CVE-2019-6565 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002201 // 
            
            
            
            CNNVD: CNNVD-201902-961 // 
            
            
            
            NVD: CVE-2019-6565

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-19-057-01
Trust: 3.6
url:http://www.securityfocus.com/bid/107178
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-6565
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6565
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-19-057-01
Trust: 0.6
url:https://www.auscert.org.au/bulletins/76138
Trust: 0.6
url:http://www.moxastore.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-06178 // 
            
            
            
            VULHUB: VHN-158000 // 
            
            
            
            VULMON: CVE-2019-6565 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002201 // 
            
            
            
            CNNVD: CNNVD-201902-961 // 
            
            
            
            NVD: CVE-2019-6565

CREDITS
Ivan B, Sergey Fedonin, and Vyacheslav Moskvin of Positive Technologies Security reported these vulnerabilities to NCCIC.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-961

SOURCES
db:IVDid:709e83c1-c0d8-464a-b6c8-07e965ae9b94
db:CNVDid:CNVD-2019-06178
db:VULHUBid:VHN-158000
db:VULMONid:CVE-2019-6565
db:BIDid:107178
db:JVNDBid:JVNDB-2019-002201
db:CNNVDid:CNNVD-201902-961
db:NVDid:CVE-2019-6565

LAST UPDATE DATE
2024-08-14T13:26:52.215000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-06178date:2019-03-05T00:00:00
db:VULHUBid:VHN-158000date:2022-11-30T00:00:00
db:VULMONid:CVE-2019-6565date:2019-10-09T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002201date:2019-04-04T00:00:00
db:CNNVDid:CNNVD-201902-961date:2019-10-25T00:00:00
db:NVDid:CVE-2019-6565date:2022-11-30T22:19:28.110

SOURCES RELEASE DATE
db:IVDid:709e83c1-c0d8-464a-b6c8-07e965ae9b94date:2019-03-05T00:00:00
db:CNVDid:CNVD-2019-06178date:2019-03-05T00:00:00
db:VULHUBid:VHN-158000date:2019-03-05T00:00:00
db:VULMONid:CVE-2019-6565date:2019-03-05T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002201date:2019-04-04T00:00:00
db:CNNVDid:CNNVD-201902-961date:2019-02-26T00:00:00
db:NVDid:CVE-2019-6565date:2019-03-05T20:29:00.577