Vulnerability CVE-2017-14621

Vulnerability Name:

CVE-2017-14621 (CCN-132281)

Assigned:

2017-09-19

Published:

2017-09-19

Updated:

2017-09-28

Summary:

Portus 2.2.0 has XSS via the Team field, related to typeahead.

CVSS v3 Severity:

5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2017-14621

Source: XF
Type: UNKNOWN
suse-portus-xss(132281)

Source: CCN
Type: SUSE/Portus GIT Repository
Authorization service and frontend for Docker registry (v2) http://port.us.org/

Source: CONFIRM
Type: Third Party Advisory
https://github.com/SUSE/Portus/pull/1425

Source: CCN
Type: Packet Storm Security [09-19-2017]
SUSE/Portus 2.2 Cross Site Scripting

Vulnerable Configuration:

Configuration 1:

cpe:/a:suse:portus:2.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201714621	V	CVE-2017-14621	2022-05-20
oval:org.opensuse.security:def:38368	P	Security update for xorg-x11-server (Important)	2021-12-20
oval:org.opensuse.security:def:14063	P	xfsprogs-4.3.0-8.8 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13901	P	libgcrypt20-1.6.1-16.33.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14087	P	apache2-mod_perl-2.0.8-11.43 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14019	P	python-pywbem-0.7.0-4.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14747	P	python-libxml2-2.9.4-46.15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13818	P	fetchmail-6.3.26-12.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13882	P	libXvMC1-1.0.8-3.56 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14074	P	DirectFB-1.7.1-6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13994	P	opie-2.4-724.56 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14725	P	patch-2.7.5-8.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13865	P	libMagickCore-6_Q16-1-6.8.8.1-33.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13728	P	strongswan-5.1.3-18.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13720	P	ruby-2.1-1.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13750	P	xdg-utils-20140630-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:37823	P	iputils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38061	P	sblim-sfcb on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38515	P	wpa_supplicant on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38208	P	gstreamer-plugins-bad on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38587	P	emacs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38427	P	opie on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37739	P	avahi on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39267	P	Security update for portus (Important)	2020-12-01
oval:org.opensuse.security:def:37960	P	libsnmp30-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37727	P	apache-commons-daemon on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38476	P	ruby on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38118	P	aaa_base on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38543	P	apache-commons-httpclient on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37728	P	apache-commons-httpclient on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39225	P	pulseaudio-module-bluetooth on GA media (Moderate)	2020-12-01

BACK