ID

VAR-202002-0450


CVE

CVE-2019-13924


TITLE

plural SCALANCE Vulnerability in improper restrictions on rendered user interface layers or frames in the product

Trust: 0.8

sources: JVNDB: JVNDB-2019-014544

DESCRIPTION

A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface. plural SCALANCE The product contains a vulnerability regarding improper restrictions on rendered user interface layers or frames.Information may be obtained and tampered with. Siemens Scalance X-200, etc. are all industrial-grade Ethernet switches from the German company Siemens. Input validation error vulnerabilities exist in many Siemens products, and attackers can use this vulnerability to hijack the click operations of other users

Trust: 2.25

sources: NVD: CVE-2019-13924 // JVNDB: JVNDB-2019-014544 // CNVD: CNVD-2020-23037 // VULMON: CVE-2019-13924

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-23037

AFFECTED PRODUCTS

vendor:siemensmodel:scalance x-200irtscope: - version: -

Trust: 1.4

vendor:siemensmodel:scalance xr-300wgscope:ltversion:4.1.3

Trust: 1.0

vendor:siemensmodel:scalance xb-200scope:ltversion:5.2.4

Trust: 1.0

vendor:siemensmodel:scalance xc-200scope:ltversion:5.2.4

Trust: 1.0

vendor:siemensmodel:scalance x-300scope:ltversion:4.1.3

Trust: 1.0

vendor:siemensmodel:scalance x-200irtscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:scalance xp-200scope:ltversion:5.2.4

Trust: 1.0

vendor:siemensmodel:scalance xf-200scope:ltversion:5.2.4

Trust: 1.0

vendor:siemensmodel:scalance xr-300scope:ltversion:4.1.3

Trust: 1.0

vendor:siemensmodel:scalance x-300scope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance xb-200scope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance xc-200scope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance xf-200scope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance xp-200scope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance xr-300scope: - version: -

Trust: 0.8

vendor:siemensmodel:scalance xr-300wgscope: - version: -

Trust: 0.8

vendor:siemensmodel:scalancescope:eqversion:x-200<5.2.4

Trust: 0.6

vendor:siemensmodel:scalancescope:eqversion:x-300<4.1.3

Trust: 0.6

sources: CNVD: CNVD-2020-23037 // JVNDB: JVNDB-2019-014544 // NVD: CVE-2019-13924

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13924
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2019-014544
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-23037
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202002-448
value: MEDIUM

Trust: 0.6

VULMON: CVE-2019-13924
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-13924
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2019-014544
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-23037
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-13924
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-014544
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-23037 // VULMON: CVE-2019-13924 // JVNDB: JVNDB-2019-014544 // CNNVD: CNNVD-202002-448 // NVD: CVE-2019-13924

PROBLEMTYPE DATA

problemtype:CWE-1021

Trust: 1.8

problemtype:CWE-693

Trust: 1.0

sources: JVNDB: JVNDB-2019-014544 // NVD: CVE-2019-13924

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-448

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202002-448

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014544

PATCH

title:SSA-951513url:https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf

Trust: 0.8

title:Patch for Multiple Siemens product input verification error vulnerabilities (CNVD-2020-23037)url:https://www.cnvd.org.cn/patchInfo/show/214035

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=5642b576f8acf92e9e203f2ccf52e87d

Trust: 0.1

sources: CNVD: CNVD-2020-23037 // VULMON: CVE-2019-13924 // JVNDB: JVNDB-2019-014544

EXTERNAL IDS

db:ICS CERTid:ICSA-20-042-07

Trust: 3.1

db:NVDid:CVE-2019-13924

Trust: 3.1

db:SIEMENSid:SSA-951513

Trust: 1.7

db:JVNDBid:JVNDB-2019-014544

Trust: 0.8

db:CNVDid:CNVD-2020-23037

Trust: 0.6

db:ICS CERTid:ICSA-20-042-06

Trust: 0.6

db:ICS CERTid:ICSA-20-042-08

Trust: 0.6

db:ICS CERTid:ICSA-20-042-10

Trust: 0.6

db:ICS CERTid:ICSA-20-042-02

Trust: 0.6

db:ICS CERTid:ICSA-20-042-01

Trust: 0.6

db:ICS CERTid:ICSA-20-042-05

Trust: 0.6

db:ICS CERTid:ICSA-20-042-03

Trust: 0.6

db:ICS CERTid:ICSA-20-042-09

Trust: 0.6

db:ICS CERTid:ICSA-20-042-04

Trust: 0.6

db:AUSCERTid:ESB-2020.0486.3

Trust: 0.6

db:AUSCERTid:ESB-2020.0486.2

Trust: 0.6

db:AUSCERTid:ESB-2020.0486

Trust: 0.6

db:CNNVDid:CNNVD-202002-448

Trust: 0.6

db:VULMONid:CVE-2019-13924

Trust: 0.1

sources: CNVD: CNVD-2020-23037 // VULMON: CVE-2019-13924 // JVNDB: JVNDB-2019-014544 // CNNVD: CNNVD-202002-448 // NVD: CVE-2019-13924

REFERENCES

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-07

Trust: 3.7

url:https://cert-portal.siemens.com/productcert/pdf/ssa-951513.pdf

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-13924

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13924

Trust: 0.8

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-10

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-09

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-08

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-06

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-05

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-04

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-03

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-02

Trust: 0.6

url:https://www.us-cert.gov/ics/advisories/icsa-20-042-01

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0486/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0486.2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0486.3/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-042-07

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/693.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.cisa.gov/uscert/ics/advisories/icsa-20-042-07

Trust: 0.1

sources: CNVD: CNVD-2020-23037 // VULMON: CVE-2019-13924 // JVNDB: JVNDB-2019-014544 // CNNVD: CNNVD-202002-448 // NVD: CVE-2019-13924

CREDITS

Siemens reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202002-448

SOURCES

db:CNVDid:CNVD-2020-23037
db:VULMONid:CVE-2019-13924
db:JVNDBid:JVNDB-2019-014544
db:CNNVDid:CNNVD-202002-448
db:NVDid:CVE-2019-13924

LAST UPDATE DATE

2024-08-14T12:37:34.010000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-23037date:2020-04-16T00:00:00
db:VULMONid:CVE-2019-13924date:2022-12-13T00:00:00
db:JVNDBid:JVNDB-2019-014544date:2020-03-25T00:00:00
db:CNNVDid:CNNVD-202002-448date:2022-12-16T00:00:00
db:NVDid:CVE-2019-13924date:2022-12-13T17:15:12.527

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-23037date:2020-04-16T00:00:00
db:VULMONid:CVE-2019-13924date:2020-02-11T00:00:00
db:JVNDBid:JVNDB-2019-014544date:2020-02-27T00:00:00
db:CNNVDid:CNNVD-202002-448date:2020-02-11T00:00:00
db:NVDid:CVE-2019-13924date:2020-02-11T16:15:14.430