cvelistv5 - cve-2019-19284

CVE-2019-19284 (GCVE-0-2019-19284)

Vulnerability from cvelistv5

Published

2020-12-14 21:05

Modified

2024-08-05 02:09

Severity ?

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users.

References

URL

Tags

https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Siemens	XHQ	Version: All Versions < 6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:09:39.615Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "XHQ",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All Versions \u003c 6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-14T21:05:17.000Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2019-19284",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "XHQ",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All Versions \u003c 6.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Siemens"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify content of particular web pages, causing the application to behave in unexpected ways for legitimate users."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf",
              "refsource": "MISC",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2019-19284",
    "datePublished": "2020-12-14T21:05:17.000Z",
    "dateReserved": "2019-11-26T00:00:00.000Z",
    "dateUpdated": "2024-08-05T02:09:39.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CERTFR-2020-AVI-800

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Siemens	N/A	XHQ versions antérieures à 6.1
Siemens	N/A	SIMATIC ITC1900 V3.1 PRO toutes versions
Siemens	N/A	SIMATIC ITC2200 V3.1 PRO toutes versions
Siemens	N/A	LOGO! 8 BM (incl. SIPLUS variants) versions antérieures à 8.3
Siemens	N/A	SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions antérieures à 5.2.3
Siemens	N/A	SIMATIC HMI Comfort Panels 4" - 22"(incl. SIPLUS variants) versions antérieures à la 16 sans le correctif numéro 3
Siemens	N/A	SCALANCE X-300 switch family (incl. SIPLUSNET variants) versions antérieures à 4.1.3
Siemens	N/A	RUGGEDCOM Win versions antérieures à 5.2
Siemens	N/A	SENTRON PAC3200 versions antérieures à 2.4.5
Siemens	N/A	SIMATIC ITC2200 V3.1 toutes versions
Siemens	N/A	SIMATIC S7-1500 Software Controller versions 20.8
Siemens	N/A	SICAM A8000 CP-8000 versions antérieures à 16
Siemens	N/A	SCALANCE X408 versions antérieures à V4.1.3
Siemens	N/A	LOGO! Soft Comfort versions antérieures à 8.3
Siemens	N/A	SIMATIC ITC1500 V3.1 toutes versions
Siemens	N/A	SICAM A8000 CP-8021 versions antérieures à 16
Siemens	N/A	SCALANCE X414 toutes versions
Siemens	N/A	SICAM A8000 CP-8022 versions antérieures à 16
Siemens	N/A	SENTRON PAC4200 versions antérieures à 2.0.1
Siemens	N/A	SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions antérieures à 5.4.1
Siemens	N/A	SIRIUS 3RW5 communication module ModbusTCP toutes versions
Siemens	N/A	SIMATIC ITC1900 V3.1 toutes versions
Siemens	N/A	SCALANCE X-200RNA switch family versions antérieures à 3.2.6
Siemens	N/A	RFID 181EIP toutes versions
Siemens	N/A	SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 and KTP900F versions antérieures à la 16 sans le correctif numéro 3
Siemens	N/A	SIMATIC ET 200SP Open Controller(incl. SIPLUS variants) version 20.8
Siemens	N/A	SIMATIC HMI Comfort Outdoor Panels 7" & 15"(incl. SIPLUS variants) versions antérieures à la 16 sans le correctif numéro 3
Siemens	N/A	SIMATIC ITC1500 V3.1 PRO toutes versions
Siemens	N/A	SIMATIC RF182C toutes versions

References

Title

Publication Time

Tags

Bulletin de sécurité Siemens ssa-478893 du 8 décembre 2020	None	vendor-advisory
Bulletin de sécurité Siemens ssa-700697 du 8 décembre 2020	None	vendor-advisory
Bulletin de sécurité Siemens ssa-541017 du 8 décembre 2020	None	vendor-advisory
Bulletin de sécurité Siemens ssa-480824 du 8 décembre 2020	None	vendor-advisory
Bulletin de sécurité Siemens ssa-712690 du 8 décembre 2020	None	vendor-advisory
Bulletin de sécurité Siemens ssa-181018 du 8 décembre 2020	None	vendor-advisory
Bulletin de sécurité Siemens ssa-415783 du 8 décembre 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "XHQ versions ant\u00e9rieures \u00e0 6.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC ITC1900 V3.1 PRO toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC ITC2200 V3.1 PRO toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "LOGO! 8 BM (incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 8.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SCALANCE X-200 switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC HMI Comfort Panels 4\" - 22\"(incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SCALANCE X-300 switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 4.1.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "RUGGEDCOM Win versions ant\u00e9rieures \u00e0 5.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SENTRON PAC3200 versions ant\u00e9rieures \u00e0 2.4.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC ITC2200 V3.1 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC S7-1500 Software Controller versions 20.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SICAM A8000 CP-8000 versions ant\u00e9rieures \u00e0 16",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SCALANCE X408 versions ant\u00e9rieures \u00e0 V4.1.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "LOGO! Soft Comfort versions ant\u00e9rieures \u00e0 8.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC ITC1500 V3.1 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SICAM A8000 CP-8021 versions ant\u00e9rieures \u00e0 16",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SCALANCE X414 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SICAM A8000 CP-8022 versions ant\u00e9rieures \u00e0 16",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SENTRON PAC4200 versions ant\u00e9rieures \u00e0 2.0.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SCALANCE X-200IRT switch family (incl. SIPLUSNET variants) versions ant\u00e9rieures \u00e0 5.4.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIRIUS 3RW5 communication module ModbusTCP toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC ITC1900 V3.1 toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SCALANCE X-200RNA switch family versions ant\u00e9rieures \u00e0 3.2.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "RFID 181EIP toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC HMI KTP Mobile Panels KTP400F,KTP700, KTP700F, KTP900 and KTP900F versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC ET 200SP Open Controller(incl. SIPLUS variants) version 20.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC HMI Comfort Outdoor Panels 7\" \u0026 15\"(incl. SIPLUS variants) versions ant\u00e9rieures \u00e0 la 16 sans le correctif num\u00e9ro 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC ITC1500 V3.1 PRO toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC RF182C toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-8287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8287"
    },
    {
      "name": "CVE-2020-25231",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25231"
    },
    {
      "name": "CVE-2020-13988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13988"
    },
    {
      "name": "CVE-2020-25230",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25230"
    },
    {
      "name": "CVE-2020-28396",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28396"
    },
    {
      "name": "CVE-2020-15796",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15796"
    },
    {
      "name": "CVE-2019-15680",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15680"
    },
    {
      "name": "CVE-2020-25235",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25235"
    },
    {
      "name": "CVE-2018-4833",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-4833"
    },
    {
      "name": "CVE-2019-19289",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19289"
    },
    {
      "name": "CVE-2019-19287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19287"
    },
    {
      "name": "CVE-2019-19283",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19283"
    },
    {
      "name": "CVE-2020-25228",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25228"
    },
    {
      "name": "CVE-2019-19286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19286"
    },
    {
      "name": "CVE-2019-15679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15679"
    },
    {
      "name": "CVE-2019-19285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19285"
    },
    {
      "name": "CVE-2020-25232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25232"
    },
    {
      "name": "CVE-2019-19288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19288"
    },
    {
      "name": "CVE-2019-19284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19284"
    },
    {
      "name": "CVE-2020-25233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25233"
    },
    {
      "name": "CVE-2020-25234",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25234"
    },
    {
      "name": "CVE-2020-25229",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25229"
    },
    {
      "name": "CVE-2019-15678",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-15678"
    }
  ],
  "initial_release_date": "2020-12-08T00:00:00",
  "last_revision_date": "2020-12-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-800",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-12-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-478893 du 8 d\u00e9cembre 2020",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-700697 du 8 d\u00e9cembre 2020",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-700697.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-541017 du 8 d\u00e9cembre 2020",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-541017.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-480824 du 8 d\u00e9cembre 2020",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480824.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-712690 du 8 d\u00e9cembre 2020",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-181018 du 8 d\u00e9cembre 2020",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-181018.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-415783 du 8 d\u00e9cembre 2020",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-415783.pdf"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2019-19284 (GCVE-0-2019-19284)

Vulnerability from cvelistv5

CERTFR-2020-AVI-800

Vulnerability from certfr_avis

Solution

Tags

Sightings

Nomenclature