CVE-2017-10667

In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/zencart/zencart/issues/1443	Issue Tracking Third Party Advisory
https://github.com/zhonghaozhao/zencart/issues/1	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zen-cart:zen_cart:1.6.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-06-29 00:29

Updated : 2017-07-03 14:37

NVD link : CVE-2017-10667

Mitre link : CVE-2017-10667

CVE.ORG link : CVE-2017-10667

JSON object : View

Products Affected

zen-cart

zen_cart

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2017-10667", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2017-06-29T00:29:00.263", "references": [{"url": "https://github.com/zencart/zencart/issues/1443", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/zhonghaozhao/zencart/issues/1", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS."}, {"lang": "es", "value": "En index.php en Zen Cart 1.6.0, el par\u00e1metro products_id puede provocar Cross-Site Scripting (XSS). RSA Via Lifecycle and Governance versi\u00f3n 7.0, en todos los niveles de parches y RSA Identity Management and Governance (RSA IMG) versiones 6.9.1, en todos los niveles de parches, permiten que un administrador de aplicaci\u00f3n suba archivos arbitrarios que podr\u00edan contener c\u00f3digo malicioso. El archivo malicioso podr\u00eda ejecutarse en el sistema afectado con los privilegios del usuario que est\u00e1 ejecutando la aplicaci\u00f3n."}], "lastModified": "2017-07-03T14:37:08.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zen-cart:zen_cart:1.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06A476EF-01B0-4A75-BAFE-944B37B48F9E"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}