Details of VAR-202006-0957

ID

VAR-202006-0957

CVE

CVE-2020-15307

TITLE

Nozomi Networks Guardian cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-51753 // CNNVD: CNNVD-202006-1870

DESCRIPTION

Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name. Nozomi Guardian Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Nozomi Networks Guardian is a IoT device and software inspection system from Nozomi Networks in Switzerland. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code

Trust: 2.7

sources: NVD: CVE-2020-15307 // JVNDB: JVNDB-2020-007403 // CNVD: CNVD-2020-51753 // CNNVD: CNNVD-202006-1870

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-51753

AFFECTED PRODUCTS

vendor:	nozominetworks	model:	guardian	scope:	lt	version:	19.0.4	Trust: 1.0
vendor:	nozomi	model:	guardian	scope:	eq	version:	19.0.4	Trust: 0.8
vendor:	nozomi	model:	networks guardian	scope:	lt	version:	19.0.4	Trust: 0.6

sources: CNVD: CNVD-2020-51753 // JVNDB: JVNDB-2020-007403 // NVD: CVE-2020-15307

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-15307
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-007403
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-51753
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202006-1870
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-15307
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007403
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-51753
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-15307
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007403
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-51753 // JVNDB: JVNDB-2020-007403 // CNNVD: CNNVD-202006-1870 // NVD: CVE-2020-15307

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-007403 // NVD: CVE-2020-15307

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1870

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202006-1870

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007403

PATCH

title:	Guardian	url:	https://www.nozominetworks.com/products/guardian/	Trust: 0.8
title:	Patch for Nozomi Networks Guardian cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/233596	Trust: 0.6
title:	Nozomi Networks Guardian Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=122824	Trust: 0.6

sources: CNVD: CNVD-2020-51753 // JVNDB: JVNDB-2020-007403 // CNNVD: CNNVD-202006-1870

EXTERNAL IDS

db:	NVD	id:	CVE-2020-15307	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-007403	Trust: 0.8
db:	CNVD	id:	CNVD-2020-51753	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1870	Trust: 0.6

sources: CNVD: CNVD-2020-51753 // JVNDB: JVNDB-2020-007403 // CNNVD: CNNVD-202006-1870 // NVD: CVE-2020-15307

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-15307	Trust: 2.0
url:	https://www2.deloitte.com/de/de/pages/risk/articles/nozomi-stored-xss.html?nc=1	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-15307	Trust: 0.8
url:	https://www2.deloitte.com/de/de/pages/risk/articles/nozomi-csv-injection.html?nc=1	Trust: 0.8

sources: CNVD: CNVD-2020-51753 // JVNDB: JVNDB-2020-007403 // CNNVD: CNNVD-202006-1870 // NVD: CVE-2020-15307

SOURCES

db:	CNVD	id:	CNVD-2020-51753
db:	JVNDB	id:	JVNDB-2020-007403
db:	CNNVD	id:	CNNVD-202006-1870
db:	NVD	id:	CVE-2020-15307

LAST UPDATE DATE

2024-11-23T22:05:37.077000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-51753	date:	2020-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2020-007403	date:	2020-08-12T00:00:00
db:	CNNVD	id:	CNNVD-202006-1870	date:	2020-07-08T00:00:00
db:	NVD	id:	CVE-2020-15307	date:	2024-11-21T05:05:17.567

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-51753	date:	2020-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2020-007403	date:	2020-08-12T00:00:00
db:	CNNVD	id:	CNNVD-202006-1870	date:	2020-06-30T00:00:00
db:	NVD	id:	CVE-2020-15307	date:	2020-06-30T18:15:12.477