Details of VAR-202006-1100

ID

VAR-202006-1100

CVE

CVE-2020-3233

TITLE

Cisco IOx Application Framework Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-31256 // CNNVD: CNNVD-202006-353

DESCRIPTION

A vulnerability in the web-based Local Manager interface of the Cisco IOx Application Framework could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The attacker must have valid Local Manager credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based Local Manager interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a system settings tab. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. Cisco IOx A cross-site scripting vulnerability exists in the application framework.Information may be obtained and tampered with. Cisco Iox is a secure development environment of the US Cisco (Cisco) that combines Cisco IOS and Linux OS for secure network connection and development of IOT applications. The vulnerability is caused by incorrectly verifying the input provided by the user

Trust: 2.79

sources: NVD: CVE-2020-3233 // JVNDB: JVNDB-2020-006100 // CNVD: CNVD-2021-31256 // CNNVD: CNNVD-202006-353 // VULHUB: VHN-181358

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-31256

AFFECTED PRODUCTS

vendor:	cisco	model:	iox	scope:	lt	version:	1.9.0	Trust: 1.0
vendor:	cisco	model:	iox	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	iox application framework	scope:	lt	version:	1.9.0	Trust: 0.6

sources: CNVD: CNVD-2021-31256 // JVNDB: JVNDB-2020-006100 // NVD: CVE-2020-3233

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3233
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3233
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-006100
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-31256
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202006-353
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181358
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-3233
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-006100
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-31256
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-181358
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3233
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3233
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	2.7
version:	3.0
Trust: 1.0
NVD:	JVNDB-2020-006100
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-31256 // VULHUB: VHN-181358 // JVNDB: JVNDB-2020-006100 // CNNVD: CNNVD-202006-353 // NVD: CVE-2020-3233 // NVD: CVE-2020-3233

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-181358 // JVNDB: JVNDB-2020-006100 // NVD: CVE-2020-3233

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-353

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202006-353

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006100

PATCH

title:	cisco-sa-ioxxss-wc6CqUws	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ioxxss-wc6CqUws	Trust: 0.8
title:	Patch for Cisco IOx Application Framework Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/261691	Trust: 0.6
title:	Cisco IOx Application Framework Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=120251	Trust: 0.6

sources: CNVD: CNVD-2021-31256 // JVNDB: JVNDB-2020-006100 // CNNVD: CNNVD-202006-353

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3233	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-006100	Trust: 0.8
db:	CNVD	id:	CNVD-2021-31256	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1931	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-353	Trust: 0.6
db:	VULHUB	id:	VHN-181358	Trust: 0.1

sources: CNVD: CNVD-2021-31256 // VULHUB: VHN-181358 // JVNDB: JVNDB-2020-006100 // CNNVD: CNNVD-202006-353 // NVD: CVE-2020-3233

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-3233	Trust: 2.0
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ioxxss-wc6cquws	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3233	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.1931/	Trust: 0.6

sources: CNVD: CNVD-2021-31256 // VULHUB: VHN-181358 // JVNDB: JVNDB-2020-006100 // CNNVD: CNNVD-202006-353 // NVD: CVE-2020-3233

SOURCES

db:	CNVD	id:	CNVD-2021-31256
db:	VULHUB	id:	VHN-181358
db:	JVNDB	id:	JVNDB-2020-006100
db:	CNNVD	id:	CNNVD-202006-353
db:	NVD	id:	CVE-2020-3233

LAST UPDATE DATE

2024-11-23T22:05:36.468000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-31256	date:	2021-04-27T00:00:00
db:	VULHUB	id:	VHN-181358	date:	2020-06-08T00:00:00
db:	JVNDB	id:	JVNDB-2020-006100	date:	2020-06-30T00:00:00
db:	CNNVD	id:	CNNVD-202006-353	date:	2021-01-05T00:00:00
db:	NVD	id:	CVE-2020-3233	date:	2024-11-21T05:30:37.330

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-31256	date:	2021-04-27T00:00:00
db:	VULHUB	id:	VHN-181358	date:	2020-06-03T00:00:00
db:	JVNDB	id:	JVNDB-2020-006100	date:	2020-06-30T00:00:00
db:	CNNVD	id:	CNNVD-202006-353	date:	2020-06-03T00:00:00
db:	NVD	id:	CVE-2020-3233	date:	2020-06-03T18:15:21.277