CVE-2023-4951 - Vulnerability Details - OpenCVE

A cross site scripting issue was discovered with the pagination function on the "Client-based Authentication Policy Configuration" screen of the GreenRADIUS web admin interface. This issue is found in GreenRADIUS v5.1.1.1 and prior. A fix was included in v5.1.2.2.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Greenrocketsecurity	Greenradius

Configuration 1 [-]

cpe:2.3:a:greenrocketsecurity:greenradius:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://greenrocketsecurity.com/cve-2023-4951/

History

Wed, 25 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GreenRocketSecurity

Published: 2023-09-14T16:43:40.721Z

Updated: 2024-09-25T14:16:47.777Z

Reserved: 2023-09-13T19:40:55.301Z

Link: CVE-2023-4951

Vulnrichment

Updated: 2024-08-02T07:44:52.595Z

NVD

Status : Modified

Published: 2023-09-14T17:15:11.927

Modified: 2024-11-21T08:36:20.073

Link: CVE-2023-4951

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"assignerOrgId": "6a7d5611-ec52-41f4-b33a-a457deec1320", "assignerShortName": "GreenRocketSecurity", "cveId": "CVE-2023-4951", "state": "PUBLISHED", "dateUpdated": "2024-09-25T14:16:47.777Z", "datePublished": "2023-09-14T16:43:40.721Z", "dateReserved": "2023-09-13T19:40:55.301Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GreenRADIUS", "vendor": "Green Rocket Security", "versions": [{"lessThanOrEqual": "5.1.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jay Sharma, Application Security Analyst, Qualys, Inc."}], "datePublic": "2023-09-13T21:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A cross site scripting issue was discovered with the pagination function on the \"Client-based Authentication Policy Configuration\" screen of the GreenRADIUS web admin interface. <span style=\"background-color: rgb(255, 255, 255);\">This issue is found in GreenRADIUS v5.1.1.1 and prior. A fix was included in v5.1.2.2.</span>\n\n<br>"}], "value": "A cross site scripting issue was discovered with the pagination function on the \"Client-based Authentication Policy Configuration\" screen of the GreenRADIUS web admin interface.\u00a0This issue is found in GreenRADIUS v5.1.1.1 and prior. A fix was included in v5.1.2.2.\n\n\n"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6a7d5611-ec52-41f4-b33a-a457deec1320", "shortName": "GreenRocketSecurity", "dateUpdated": "2023-09-22T14:48:49.045Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://greenrocketsecurity.com/cve-2023-4951/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to GreenRADIUS v5.1.2.2 or later<br>"}], "value": "Upgrade to GreenRADIUS v5.1.2.2 or later\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Cross Site Scripting (XSS) Issue on \"Client Based Authentication Policy Configuration\" Screen", "x_generator": {"engine": "SecretariatVulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.595Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://greenrocketsecurity.com/cve-2023-4951/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T14:03:15.717955Z", "id": "CVE-2023-4951", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T14:16:47.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://greenrocketsecurity.com/cve-2023-4951/", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.595Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4951", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T14:03:15.717955Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T14:13:23.889Z"}}], "cna": {"title": "Cross Site Scripting (XSS) Issue on \"Client Based Authentication Policy Configuration\" Screen", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jay Sharma, Application Security Analyst, Qualys, Inc."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Green Rocket Security", "product": "GreenRADIUS", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.1.1.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to GreenRADIUS v5.1.2.2 or later\n", "supportingMedia": [{"type": "text/html", "value": "Upgrade to GreenRADIUS v5.1.2.2 or later<br>", "base64": false}]}], "datePublic": "2023-09-13T21:15:00.000Z", "references": [{"url": "https://greenrocketsecurity.com/cve-2023-4951/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "SecretariatVulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A cross site scripting issue was discovered with the pagination function on the \"Client-based Authentication Policy Configuration\" screen of the GreenRADIUS web admin interface.\u00a0This issue is found in GreenRADIUS v5.1.1.1 and prior. A fix was included in v5.1.2.2.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "A cross site scripting issue was discovered with the pagination function on the \"Client-based Authentication Policy Configuration\" screen of the GreenRADIUS web admin interface. <span style=\"background-color: rgb(255, 255, 255);\">This issue is found in GreenRADIUS v5.1.1.1 and prior. A fix was included in v5.1.2.2.</span>\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "6a7d5611-ec52-41f4-b33a-a457deec1320", "shortName": "GreenRocketSecurity", "dateUpdated": "2023-09-22T14:48:49.045Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4951", "state": "PUBLISHED", "dateUpdated": "2024-09-25T14:16:47.777Z", "dateReserved": "2023-09-13T19:40:55.301Z", "assignerOrgId": "6a7d5611-ec52-41f4-b33a-a457deec1320", "datePublished": "2023-09-14T16:43:40.721Z", "assignerShortName": "GreenRocketSecurity"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:greenrocketsecurity:greenradius:*:*:*:*:*:*:*:*", "matchCriteriaId": "16CB4C98-635C-4771-B279-78078FB62DA2", "versionEndExcluding": "5.1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross site scripting issue was discovered with the pagination function on the \"Client-based Authentication Policy Configuration\" screen of the GreenRADIUS web admin interface.\u00a0This issue is found in GreenRADIUS v5.1.1.1 and prior. A fix was included in v5.1.2.2.\n\n\n"}, {"lang": "es", "value": "Se descubri\u00f3 un problema de Cross Site Scripting (XSS) con la funci\u00f3n de paginaci\u00f3n en la pantalla \"Client-based Authentication Policy Configuration\" de la interfaz de administraci\u00f3n web de GreenRADIUS. Este problema se encuentra en GreenRADIUS v5.1.1.1 y anteriores. Se incluy\u00f3 una soluci\u00f3n en v5.1.2.2"}], "id": "CVE-2023-4951", "lastModified": "2024-11-21T08:36:20.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 1.4, "source": "info@greenrocketsecurity.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-14T17:15:11.927", "references": [{"source": "info@greenrocketsecurity.com", "tags": ["Vendor Advisory"], "url": "https://greenrocketsecurity.com/cve-2023-4951/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://greenrocketsecurity.com/cve-2023-4951/"}], "sourceIdentifier": "info@greenrocketsecurity.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "info@greenrocketsecurity.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}