Sign-up

ID

VAR-201905-0988


CVE

CVE-2018-7064


TITLE

Aruba Instant Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-015806

DESCRIPTION

A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session cookie for an administrative session. Workaround: Administrators should make sure they log out of the Aruba Instant UI when not actively managing the system, and should use caution clicking links from external sources while logged into the IAP administrative interface. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0. Siemens SCALANCE W1750D is prone to following security vulnerabilities: 1. Multiple information disclosure vulnerabilities 2. A cross-site-scripting vulnerability 3. Multiple remote command injection vulnerabilities Attackers can exploit these issues to obtain sensitive information, or execute arbitrary commands or arbitrary HTML or script code in the browser of an unsuspecting user within the context of the affected application. This can allow the attacker to steal cookie-based authentication credentials and aid in further attacks. Versions prior to SCALANCE W1750D 8.4.0.1 are vulnerable

Trust: 1.98

sources: NVD: CVE-2018-7064 // JVNDB: JVNDB-2018-015806 // BID: 108374 // VULMON: CVE-2018-7064

AFFECTED PRODUCTS

vendor:arubanetworksmodel:aruba instantscope:ltversion:4.2.4.12

Trust: 1.0

vendor:arubanetworksmodel:aruba instantscope:ltversion:8.3.0.6

Trust: 1.0

vendor:arubanetworksmodel:aruba instantscope:gteversion:6.5.0

Trust: 1.0

vendor:arubanetworksmodel:aruba instantscope:gteversion:8.4.0

Trust: 1.0

vendor:arubanetworksmodel:aruba instantscope:gteversion:8.3.0

Trust: 1.0

vendor:arubanetworksmodel:aruba instantscope:ltversion:8.4.0.1

Trust: 1.0

vendor:siemensmodel:scalance w1750dscope:ltversion:8.4.0.1

Trust: 1.0

vendor:arubanetworksmodel:aruba instantscope:ltversion:6.5.4.11

Trust: 1.0

vendor:arubanetworksmodel:aruba instantscope:gteversion:4.0

Trust: 1.0

vendor:arubamodel:instant apscope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance w1750dscope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance w1750dscope:eqversion:0

Trust: 0.3

vendor:siemensmodel:scalance w1750dscope:neversion:8.4.0.1

Trust: 0.3

sources: BID: 108374 // JVNDB: JVNDB-2018-015806 // NVD: CVE-2018-7064

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2018-7064
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-201903-050
value: MEDIUM

Trust: 0.6

VULMON: CVE-2018-7064
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-7064
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

NVD: CVE-2018-7064
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 1.8

sources: VULMON: CVE-2018-7064 // JVNDB: JVNDB-2018-015806 // CNNVD: CNNVD-201903-050 // NVD: CVE-2018-7064

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-015806 // NVD: CVE-2018-7064

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-050

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201903-050

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2018-7064

PATCH
title:ARUBA-PSA-2019-001url:https://www.arubanetworks.com/assets/alert/aruba-psa-2019-001.txt
Trust: 0.8
title:SSA-549547url:https://cert-portal.siemens.com/productcert/pdf/ssa-549547.pdf
Trust: 0.8
title:Aruba Networks Instant Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=98210
Trust: 0.6
title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=f04f471bbc12c6e00cc683978d7f0589
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-7064 // 
            
            
            
            JVNDB: JVNDB-2018-015806 // 
            
            
            
            CNNVD: CNNVD-201903-050

EXTERNAL IDS
db:NVDid:CVE-2018-7064
Trust: 2.8
db:BIDid:108374
Trust: 2.0
db:ICS CERTid:ICSA-19-134-07
Trust: 1.8
db:SIEMENSid:SSA-549547
Trust: 1.7
db:JVNDBid:JVNDB-2018-015806
Trust: 0.8
db:ICS CERTid:ICSA-19-134-02
Trust: 0.6
db:AUSCERTid:ESB-2019.1716.2
Trust: 0.6
db:CNNVDid:CNNVD-201903-050
Trust: 0.6
db:VULMONid:CVE-2018-7064
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-7064 // 
            
            
            
            BID: 108374 // 
            
            
            
            JVNDB: JVNDB-2018-015806 // 
            
            
            
            CNNVD: CNNVD-201903-050 // 
            
            
            
            NVD: CVE-2018-7064

REFERENCES
url:http://www.securityfocus.com/bid/108374
Trust: 2.4
url:https://www.arubanetworks.com/assets/alert/aruba-psa-2019-001.txt
Trust: 1.7
url:https://cert-portal.siemens.com/productcert/pdf/ssa-549547.pdf
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-7064
Trust: 1.4
url:https://ics-cert.us-cert.gov/advisories/icsa-19-134-07
Trust: 1.0
url:http://www.siemens.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7064
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-19-134-07
Trust: 0.8
url:https://ics-cert.us-cert.gov/advisories/icsa-19-134-02-0
Trust: 0.6
url:https://vigilance.fr/vulnerability/alcatel-lucent-enterprise-omniaccess-wlan-instant-multiple-vulnerabilities-28646
Trust: 0.6
url:https://www.auscert.org.au/bulletins/80946
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-7064 // 
            
            
            
            BID: 108374 // 
            
            
            
            JVNDB: JVNDB-2018-015806 // 
            
            
            
            CNNVD: CNNVD-201903-050 // 
            
            
            
            NVD: CVE-2018-7064

CREDITS
Siemens reported these vulnerabilities to NCCIC.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201903-050

SOURCES
db:VULMONid:CVE-2018-7064
db:BIDid:108374
db:JVNDBid:JVNDB-2018-015806
db:CNNVDid:CNNVD-201903-050
db:NVDid:CVE-2018-7064

LAST UPDATE DATE
2022-05-04T08:54:09.739000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2018-7064date:2019-05-21T00:00:00
db:BIDid:108374date:2019-05-14T00:00:00
db:JVNDBid:JVNDB-2018-015806date:2019-07-09T00:00:00
db:CNNVDid:CNNVD-201903-050date:2019-09-12T00:00:00
db:NVDid:CVE-2018-7064date:2019-05-21T18:48:00

SOURCES RELEASE DATE
db:VULMONid:CVE-2018-7064date:2019-05-10T00:00:00
db:BIDid:108374date:2019-05-14T00:00:00
db:JVNDBid:JVNDB-2018-015806date:2019-07-09T00:00:00
db:CNNVDid:CNNVD-201903-050date:2019-03-04T00:00:00
db:NVDid:CVE-2018-7064date:2019-05-10T18:29:00