Details of VAR-202003-0778

ID

VAR-202003-0778

CVE

CVE-2019-19294

TITLE

SiNVR 3 Central Control Server and Video Server Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-014868

DESCRIPTION

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains multiple stored Cross-site Scripting (XSS) vulnerabilities in several input fields. This could allow an authenticated remote attacker to inject malicious JavaScript code into the CCS web application that is later executed in the browser context of any other user who views the relevant CCS web content. SiNVR 3 is a video management platform. Remote attackers can use this vulnerability to inject malicious JavaScript code

Trust: 2.43

sources: NVD: CVE-2019-19294 // JVNDB: JVNDB-2019-014868 // CNVD: CNVD-2020-17007 // IVD: 743ca4cb-2414-4d27-b575-59994d163c85 // VULMON: CVE-2019-19294

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 743ca4cb-2414-4d27-b575-59994d163c85 // CNVD: CNVD-2020-17007

AFFECTED PRODUCTS

vendor:	siemens	model:	sinvr 3 central control server	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	sinvr 3 video server	scope:	eq	version:	*	Trust: 1.0
vendor:	シーメンス	model:	sinvr 3 video server	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sinvr 3 central control server	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	sinvr central control server	scope:	eq	version:	3	Trust: 0.6
vendor:	siemens	model:	sinvr video server	scope:	eq	version:	3	Trust: 0.6
vendor:	sinvr 3 central control server	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	sinvr 3 video server	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 743ca4cb-2414-4d27-b575-59994d163c85 // CNVD: CNVD-2020-17007 // JVNDB: JVNDB-2019-014868 // NVD: CVE-2019-19294

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-19294
value:	MEDIUM
Trust: 1.0
productcert@siemens.com:	CVE-2019-19294
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-19294
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-17007
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202003-481
value:	MEDIUM
Trust: 0.6
IVD:	743ca4cb-2414-4d27-b575-59994d163c85
value:	MEDIUM
Trust: 0.2
VULMON:	CVE-2019-19294
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-19294
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-17007
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	743ca4cb-2414-4d27-b575-59994d163c85
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-19294
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2019-19294
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	4.0
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2019-014868
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 743ca4cb-2414-4d27-b575-59994d163c85 // CNVD: CNVD-2020-17007 // VULMON: CVE-2019-19294 // JVNDB: JVNDB-2019-014868 // CNNVD: CNNVD-202003-481 // NVD: CVE-2019-19294 // NVD: CVE-2019-19294

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-014868 // NVD: CVE-2019-19294

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-481

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-481

PATCH

title:	SSA-844761	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf	Trust: 0.8
title:	Patch for Siemens SiNVR 3 Cross-site Scripting Vulnerability (CNVD-2020-17007)	url:	https://www.cnvd.org.cn/patchInfo/show/208743	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=03dd7efb196bdf8da925c4ca8f3d02f6	Trust: 0.1
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=941d6ca22d089421a99575c44abd4248	Trust: 0.1

sources: CNVD: CNVD-2020-17007 // VULMON: CVE-2019-19294 // JVNDB: JVNDB-2019-014868

EXTERNAL IDS

db:	NVD	id:	CVE-2019-19294	Trust: 4.1
db:	SIEMENS	id:	SSA-761844	Trust: 1.7
db:	SIEMENS	id:	SSA-844761	Trust: 1.7
db:	ICS CERT	id:	ICSA-20-070-01	Trust: 1.4
db:	CNVD	id:	CNVD-2020-17007	Trust: 0.8
db:	CNNVD	id:	CNNVD-202003-481	Trust: 0.8
db:	JVN	id:	JVNVU96269392	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-014868	Trust: 0.8
db:	ICS CERT	id:	ICSA-21-103-10	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1240	Trust: 0.6
db:	NSFOCUS	id:	46128	Trust: 0.6
db:	IVD	id:	743CA4CB-2414-4D27-B575-59994D163C85	Trust: 0.2
db:	VULMON	id:	CVE-2019-19294	Trust: 0.1

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-19294	Trust: 2.0
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf	Trust: 1.7
url:	https://www.us-cert.gov/ics/advisories/icsa-20-070-01	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu96269392/index.html	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-103-10	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1240	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/46128	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://cert-portal.siemens.com/productcert/txt/ssa-761844.txt	Trust: 0.1

sources: CNVD: CNVD-2020-17007 // VULMON: CVE-2019-19294 // JVNDB: JVNDB-2019-014868 // CNNVD: CNNVD-202003-481 // NVD: CVE-2019-19294

SOURCES

db:	IVD	id:	743ca4cb-2414-4d27-b575-59994d163c85
db:	CNVD	id:	CNVD-2020-17007
db:	VULMON	id:	CVE-2019-19294
db:	JVNDB	id:	JVNDB-2019-014868
db:	CNNVD	id:	CNNVD-202003-481
db:	NVD	id:	CVE-2019-19294

LAST UPDATE DATE

2024-08-14T12:30:26.999000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-17007	date:	2020-03-13T00:00:00
db:	VULMON	id:	CVE-2019-19294	date:	2021-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-014868	date:	2024-02-20T07:11:00
db:	CNNVD	id:	CNNVD-202003-481	date:	2021-04-23T00:00:00
db:	NVD	id:	CVE-2019-19294	date:	2024-01-09T10:15:12.267

SOURCES RELEASE DATE

db:	IVD	id:	743ca4cb-2414-4d27-b575-59994d163c85	date:	2020-03-10T00:00:00
db:	CNVD	id:	CNVD-2020-17007	date:	2020-03-13T00:00:00
db:	VULMON	id:	CVE-2019-19294	date:	2020-03-10T00:00:00
db:	JVNDB	id:	JVNDB-2019-014868	date:	2020-03-24T00:00:00
db:	CNNVD	id:	CNNVD-202003-481	date:	2020-03-10T00:00:00
db:	NVD	id:	CVE-2019-19294	date:	2020-03-10T20:15:19.413