CVE-2020-16270

{"id": "CVE-2020-16270", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-10-16T14:15:11.720", "references": [{"url": "https://bdu.fstec.ru/vul/2020-04623", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/Security-AVS/CVE-2020-16270", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://olimpoks.ru/oks/forum/olimpoks5.php", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim\u2019s browsers in context of vulnerable applications. Executed code can be used to steal administrator\u2019s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries."}, {"lang": "es", "value": "OLIMPOKS en 3.3.39 permite Auth/Admin ErrorMessage XSS. El Atacante Remoto puede usar la vulnerabilidad descubierta para inyectar carga \u00fatil JavaScript maliciosa a los navegadores de las v\u00edctimas en el contexto de aplicaciones vulnerables. El c\u00f3digo ejecutado puede utilizarse para robar las cookies del administrador, influir en el contenido HTML de la aplicaci\u00f3n objetivo y realizar ataques relacionados con la suplantaci\u00f3n de identidad (phishing). Aplicaci\u00f3n vulnerable utilizada en m\u00e1s de 3000 organizaciones de diferentes sectores, desde el comercio minorista hasta las industrias"}], "lastModified": "2020-10-21T14:12:56.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:olimpoks:olimpok:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9083ABB4-800D-459B-BB6F-32CB55756A21", "versionEndExcluding": "3.3.39"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}