Sign-up

ID

VAR-201910-0806


CVE

CVE-2019-14928


TITLE

Mitsubishi Electric smartRTU and Inea ME-RTU cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-47032 // CNNVD: CNNVD-201910-1540

DESCRIPTION

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page. Mitsubishi Electric ME-RTU Device and INEA ME-RTU A cross-site scripting vulnerability exists in the device.Information may be obtained and information may be tampered with. Inea ME-RTU is an intelligent communication gateway product from Inea Company of Slovenia. The vulnerability stems from the lack of proper verification of client data by web applications. Attackers can use this vulnerability to execute client code

Trust: 2.34

sources: NVD: CVE-2019-14928 // JVNDB: JVNDB-2019-011335 // CNVD: CNVD-2019-47032 // IVD: a0fd0642-9485-47f3-8f32-5b171ad28729

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: a0fd0642-9485-47f3-8f32-5b171ad28729 // CNVD: CNVD-2019-47032

AFFECTED PRODUCTS

vendor:mitsubishielectricmodel:smartrtuscope:lteversion:2.02

Trust: 1.0

vendor:ineamodel:me-rtuscope:lteversion:3.0

Trust: 1.0

vendor:inea d o omodel:me-rtuscope: - version: -

Trust: 0.8

vendor:三菱電機model:smartrtuscope: - version: -

Trust: 0.8

vendor:mitsubishimodel:electric mitsubishi electric smartrtuscope:lteversion:<=2.02

Trust: 0.6

vendor:ineamodel:me-rtuscope:lteversion:<=3.0

Trust: 0.6

vendor:smartrtumodel: - scope:eqversion:*

Trust: 0.2

vendor:me rtumodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: a0fd0642-9485-47f3-8f32-5b171ad28729 // CNVD: CNVD-2019-47032 // JVNDB: JVNDB-2019-011335 // NVD: CVE-2019-14928

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14928
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-14928
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2019-47032
value: LOW

Trust: 0.6

CNNVD: CNNVD-201910-1540
value: MEDIUM

Trust: 0.6

IVD: a0fd0642-9485-47f3-8f32-5b171ad28729
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2019-14928
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-47032
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: a0fd0642-9485-47f3-8f32-5b171ad28729
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-14928
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2019-14928
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: a0fd0642-9485-47f3-8f32-5b171ad28729 // CNVD: CNVD-2019-47032 // JVNDB: JVNDB-2019-011335 // CNNVD: CNNVD-201910-1540 // NVD: CVE-2019-14928

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2019-011335 // NVD: CVE-2019-14928

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1540

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201910-1540

PATCH

title:ME RTU Mitsubishi Electric MITSUBISHI ELECTRIC AUTOMATIONurl:http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/

Trust: 0.8

sources: JVNDB: JVNDB-2019-011335

EXTERNAL IDS

db:NVDid:CVE-2019-14928

Trust: 3.2

db:ICS CERTid:ICSA-21-252-03

Trust: 1.4

db:CNVDid:CNVD-2019-47032

Trust: 0.8

db:CNNVDid:CNNVD-201910-1540

Trust: 0.8

db:JVNid:JVNVU93054759

Trust: 0.8

db:JVNDBid:JVNDB-2019-011335

Trust: 0.8

db:AUSCERTid:ESB-2021.3043

Trust: 0.6

db:IVDid:A0FD0642-9485-47F3-8F32-5B171AD28729

Trust: 0.2

sources: IVD: a0fd0642-9485-47f3-8f32-5b171ad28729 // CNVD: CNVD-2019-47032 // JVNDB: JVNDB-2019-011335 // CNNVD: CNNVD-201910-1540 // NVD: CVE-2019-14928

REFERENCES

url:https://www.mogozobo.com/?p=3593

Trust: 3.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-14928

Trust: 1.4

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03

Trust: 1.4

url:https://www.mogozobo.com/

Trust: 1.0

url:https://jvn.jp/vu/jvnvu93054759/

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2021.3043

Trust: 0.6

sources: CNVD: CNVD-2019-47032 // JVNDB: JVNDB-2019-011335 // CNNVD: CNNVD-201910-1540 // NVD: CVE-2019-14928

CREDITS

Mark Cross (@xerubus) reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-201910-1540

SOURCES

db:IVDid:a0fd0642-9485-47f3-8f32-5b171ad28729
db:CNVDid:CNVD-2019-47032
db:JVNDBid:JVNDB-2019-011335
db:CNNVDid:CNNVD-201910-1540
db:NVDid:CVE-2019-14928

LAST UPDATE DATE

2024-11-23T21:36:35.079000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-47032date:2019-12-26T00:00:00
db:JVNDBid:JVNDB-2019-011335date:2021-09-14T05:51:00
db:CNNVDid:CNNVD-201910-1540date:2021-09-10T00:00:00
db:NVDid:CVE-2019-14928date:2024-11-21T04:27:42.147

SOURCES RELEASE DATE

db:IVDid:a0fd0642-9485-47f3-8f32-5b171ad28729date:2019-12-26T00:00:00
db:CNVDid:CNVD-2019-47032date:2019-12-26T00:00:00
db:JVNDBid:JVNDB-2019-011335date:2019-11-05T00:00:00
db:CNNVDid:CNNVD-201910-1540date:2019-10-28T00:00:00
db:NVDid:CVE-2019-14928date:2019-10-28T13:15:10.837