CVE-2019-19393

Published: Oct 1, 2020Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the content is always displayed after and before login. Persistent XSS allows an attacker to modify displayed content or to change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or a hijacked session.

Affected (1)

Products: Rittal: Cmc Pu Iii 7030.000 Firmware

1 product

Cmc Pu Iii 7030.000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Rittal Cmc Pu Iii 7030.000 Firmware	From 3.11.00_2 to 3.15.70_4

Running on/with	Platform Versions
Rittal Cmc Pu Iii 7030.000	From 3.00 to 6.01

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/miguelhamal/CVE-2019-19393

Source: cve@mitre.org

Third Party Advisory

https://www.rittal.us/monitoring-security/cmc-iii.html

Source: cve@mitre.org

Broken LinkVendor Advisory

https://github.com/miguelhamal/CVE-2019-19393

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.rittal.us/monitoring-security/cmc-iii.html

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkVendor Advisory

Timeline

No history available yet.