CVE-2019-19393

CVSS V2 Medium 4.3 CVSS V3 Medium 6.1
Description
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the content is always displayed after and before login. Persistent XSS allows an attacker to modify displayed content or to change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or a hijacked session.
Overview
  • CVE ID
  • CVE-2019-19393
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2020-10-01T17:15:13
  • Last Modified Date
  • 2020-10-13T13:40:50
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:o:rittal:cmc_pu_iii_7030.000_firmware:*:*:*:*:*:*:*:* 1 OR 3.11.00_2 3.15.70_4
cpe:2.3:h:rittal:cmc_pu_iii_7030.000:*:*:*:*:*:*:*:* 0 OR 3.00 6.01
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • REQUIRED
  • Scope
  • CHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 6.1
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 2.7
References
Reference URL Reference Tags
https://www.rittal.us/monitoring-security/cmc-iii.html Broken Link Vendor Advisory
https://github.com/miguelhamal/CVE-2019-19393 Third Party Advisory
History
Created Old Value New Value Data Type Notes
2022-05-10 17:09:12 Added to TrackCVE
2022-12-04 23:35:55 2020-10-01T17:15Z 2020-10-01T17:15:13 CVE Published Date updated
2022-12-04 23:35:55 2020-10-13T13:40:50 CVE Modified Date updated
2022-12-04 23:35:55 Analyzed Vulnerability Status updated