Sign-up

ID

VAR-201907-1454


CVE

CVE-2019-10933


TITLE

Siemens Spectrum Power Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6 // CNVD: CNVD-2019-22236 // CNNVD: CNNVD-201907-537

DESCRIPTION

A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed.At the stage of publishing this security advisory no public exploitation is known. Spectrum Power Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. SiemensSpectrumPower is a system that provides the basic components for SCADA, communication and data modeling of control and monitoring systems. A cross-site scripting vulnerability exists in SiemensSpectrumPower. A remote attacker could exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Allows an attacker to steal cookie-based authentication credentials and initiate other attacks

Trust: 2.7

sources: NVD: CVE-2019-10933 // JVNDB: JVNDB-2019-006503 // CNVD: CNVD-2019-22236 // BID: 109109 // IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6 // VULMON: CVE-2019-10933

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6 // CNVD: CNVD-2019-22236

AFFECTED PRODUCTS

vendor:siemensmodel:spectrum power 3scope:lteversion:3.11

Trust: 1.8

vendor:siemensmodel:spectrum power 5scope:lteversion:5.50

Trust: 1.8

vendor:siemensmodel:spectrum power 7scope:lteversion:2.20

Trust: 1.8

vendor:siemensmodel:spectrum power 4scope:lteversion:4.75

Trust: 1.0

vendor:siemensmodel:spectrum power 4scope:eqversion:4.75

Trust: 0.8

vendor:siemensmodel:spectrum powerscope:eqversion:3<=v3.11

Trust: 0.6

vendor:siemensmodel:spectrum powerscope:eqversion:4v4.75

Trust: 0.6

vendor:siemensmodel:spectrum powerscope:eqversion:5<=v5.50

Trust: 0.6

vendor:siemensmodel:spectrum powerscope:eqversion:7<=v2.20

Trust: 0.6

vendor:siemensmodel:spectrum powerscope:eqversion:72.20

Trust: 0.3

vendor:siemensmodel:spectrum powerscope:eqversion:55.50

Trust: 0.3

vendor:siemensmodel:spectrum powerscope:eqversion:44.75

Trust: 0.3

vendor:siemensmodel:spectrum powerscope:eqversion:33.11

Trust: 0.3

vendor:spectrum power 3model: - scope:eqversion:*

Trust: 0.2

vendor:spectrum power 4model: - scope:eqversion:*

Trust: 0.2

vendor:spectrum power 5model: - scope:eqversion:*

Trust: 0.2

vendor:spectrum power 7model: - scope:eqversion:*

Trust: 0.2

sources: IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6 // CNVD: CNVD-2019-22236 // BID: 109109 // JVNDB: JVNDB-2019-006503 // NVD: CVE-2019-10933

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10933
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-10933
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-22236
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201907-537
value: MEDIUM

Trust: 0.6

IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6
value: MEDIUM

Trust: 0.2

VULMON: CVE-2019-10933
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10933
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-22236
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-10933
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6 // CNVD: CNVD-2019-22236 // VULMON: CVE-2019-10933 // JVNDB: JVNDB-2019-006503 // CNNVD: CNNVD-201907-537 // NVD: CVE-2019-10933

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

problemtype:CWE-80

Trust: 1.0

sources: JVNDB: JVNDB-2019-006503 // NVD: CVE-2019-10933

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-537

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201907-537

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006503

PATCH
title:SSA-747162url:https://cert-portal.siemens.com/productcert/pdf/ssa-747162.pdf
Trust: 0.8
title:Patch for SiemensSpectrumPower Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/168527
Trust: 0.6
title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=c3de5b6869ee49cbd427bbb85cd4b0c9
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-22236 // 
            
            
            
            VULMON: CVE-2019-10933 // 
            
            
            
            JVNDB: JVNDB-2019-006503

EXTERNAL IDS
db:NVDid:CVE-2019-10933
Trust: 3.6
db:SIEMENSid:SSA-747162
Trust: 2.3
db:ICS CERTid:ICSA-19-190-04
Trust: 1.7
db:BIDid:109109
Trust: 1.6
db:CNVDid:CNVD-2019-22236
Trust: 0.8
db:CNNVDid:CNNVD-201907-537
Trust: 0.8
db:JVNDBid:JVNDB-2019-006503
Trust: 0.8
db:AUSCERTid:ESB-2019.2524
Trust: 0.6
db:IVDid:6FADAA99-9DC6-435B-B7BE-74C446DCC7C6
Trust: 0.2
db:VULMONid:CVE-2019-10933
Trust: 0.1
sources:
            
            
            IVD: 6fadaa99-9dc6-435b-b7be-74c446dcc7c6 // 
            
            
            
            CNVD: CNVD-2019-22236 // 
            
            
            
            VULMON: CVE-2019-10933 // 
            
            
            
            BID: 109109 // 
            
            
            
            JVNDB: JVNDB-2019-006503 // 
            
            
            
            CNNVD: CNNVD-201907-537 // 
            
            
            
            NVD: CVE-2019-10933

REFERENCES
url:https://cert-portal.siemens.com/productcert/pdf/ssa-747162.pdf
Trust: 2.3
url:https://www.us-cert.gov/ics/advisories/icsa-19-190-04
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-10933
Trust: 1.4
url:http://www.siemens.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10933
Trust: 0.8
url:https://www.securityfocus.com/bid/109109
Trust: 0.7
url:https://www.auscert.org.au/bulletins/esb-2019.2524/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-22236 // 
            
            
            
            VULMON: CVE-2019-10933 // 
            
            
            
            BID: 109109 // 
            
            
            
            JVNDB: JVNDB-2019-006503 // 
            
            
            
            CNNVD: CNNVD-201907-537 // 
            
            
            
            NVD: CVE-2019-10933

CREDITS
Ismail Mert AY AK of Biznet Bilisim Sistemleri Danismanlik
Trust: 0.9
sources:
            
            
            BID: 109109 // 
            
            
            
            CNNVD: CNNVD-201907-537

SOURCES
db:IVDid:6fadaa99-9dc6-435b-b7be-74c446dcc7c6
db:CNVDid:CNVD-2019-22236
db:VULMONid:CVE-2019-10933
db:BIDid:109109
db:JVNDBid:JVNDB-2019-006503
db:CNNVDid:CNNVD-201907-537
db:NVDid:CVE-2019-10933

LAST UPDATE DATE
2024-08-14T14:26:13.929000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-22236date:2019-07-12T00:00:00
db:VULMONid:CVE-2019-10933date:2019-08-13T00:00:00
db:BIDid:109109date:2019-07-09T00:00:00
db:JVNDBid:JVNDB-2019-006503date:2019-08-05T00:00:00
db:CNNVDid:CNNVD-201907-537date:2019-08-15T00:00:00
db:NVDid:CVE-2019-10933date:2019-08-13T20:15:11.447

SOURCES RELEASE DATE
db:IVDid:6fadaa99-9dc6-435b-b7be-74c446dcc7c6date:2019-07-12T00:00:00
db:CNVDid:CNVD-2019-22236date:2019-07-12T00:00:00
db:VULMONid:CVE-2019-10933date:2019-07-11T00:00:00
db:BIDid:109109date:2019-07-09T00:00:00
db:JVNDBid:JVNDB-2019-006503date:2019-07-22T00:00:00
db:CNNVDid:CNNVD-201907-537date:2019-07-10T00:00:00
db:NVDid:CVE-2019-10933date:2019-07-11T22:15:11.733