CVE-2018-9155 Information

Description

Cross-site scripting (XSS) vulnerability in Open-AudIT Professional 2.1.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component as demonstrated by the Admin-Logs section (with a logs?logs.type= URI) and the Manage-Attributes section (via the \Name (display)\ field to the attributes/create URI).

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://docs.google.com/document/d/1ZG1qiwpECbVnv92yNckDn7yyuluKoC2_ON-eLhAY97Q/edit?usp=sharing https://www.exploit-db.com/exploits/44612/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4