CVE-2020-22158

MediaKind (formerly Ericsson) RX8200 5.13.3 devices are vulnerable to multiple reflected and stored XSS. An attacker has to inject JavaScript code directly in the "path" or "Services+ID" parameters and send the URL to a user in order to exploit reflected XSS. In the case of stored XSS, an attacker must modify the "name" parameter with the malicious code.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://sku11army.blogspot.com/2020/02/ericsson-multiple-stored-reflected-xss.html	Permissions Required
https://sku11army.blogspot.com/2020/02/ericsson-multiple-stored-reflected-xss.html	Permissions Required

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:mediakind:rx8200_firmware:5.13.3:*:*:*:*:*:*:*

cpe:2.3:h:mediakind:rx8200:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-09-14 16:15

Updated : 2024-11-21 05:13

NVD link : CVE-2020-22158

Mitre link : CVE-2020-22158

CVE.ORG link : CVE-2020-22158

JSON object : View

Products Affected

mediakind

rx8200
rx8200_firmware

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-22158", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-09-14T16:15:11.590", "references": [{"url": "https://sku11army.blogspot.com/2020/02/ericsson-multiple-stored-reflected-xss.html", "tags": ["Permissions Required"], "source": "cve@mitre.org"}, {"url": "https://sku11army.blogspot.com/2020/02/ericsson-multiple-stored-reflected-xss.html", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "MediaKind (formerly Ericsson) RX8200 5.13.3 devices are vulnerable to multiple reflected and stored XSS. An attacker has to inject JavaScript code directly in the \"path\" or \"Services+ID\" parameters and send the URL to a user in order to exploit reflected XSS. In the case of stored XSS, an attacker must modify the \"name\" parameter with the malicious code."}, {"lang": "es", "value": "Los dispositivos MediaKind (anteriormente Ericsson) versi\u00f3n 5.13.3, son vulnerables a m\u00faltiples ataques de tipo XSS reflejados y almacenados. Un atacante tiene que inyectar c\u00f3digo JavaScript directamente en los par\u00e1metros \"path\" o \"Services+ID\" y enviar la URL hacia un usuario para explotar la vulnerabilidad de tipo XSS reflejado. En el caso de una vulnerabilidad de tipo XSS almacenado, un atacante debe modificar el par\u00e1metro \"name\" con el c\u00f3digo malicioso"}], "lastModified": "2024-11-21T05:13:07.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mediakind:rx8200_firmware:5.13.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A1EEB9E-45E3-495B-A09C-71A7A96B015D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mediakind:rx8200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "369370E0-04CD-4EDE-9C0C-F2FCAD7C40E3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}