CVE-2019-14415 - Vulnerability Details

Vendors	Products
Veritas	Resiliency Platform

Link	Providers
http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html
http://seclists.org/fulldisclosure/2019/Jul/39
https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:L/I:L/PR:H/S:C/UI:R", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-31T21:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4"}, {"name": "20190730 VTS19-002: Multiple Vulnerabilities in Veritas Resiliency Platform (VRP)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Jul/39"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14415", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:L/I:L/PR:H/S:C/UI:R", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4", "refsource": "MISC", "url": "https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4"}, {"name": "20190730 VTS19-002: Multiple Vulnerabilities in Veritas Resiliency Platform (VRP)", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Jul/39"}, {"name": "http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:19:40.869Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4"}, {"name": "20190730 VTS19-002: Multiple Vulnerabilities in Veritas Resiliency Platform (VRP)", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Jul/39"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14415", "datePublished": "2019-07-29T19:04:45", "dateReserved": "2019-07-29T00:00:00", "dateUpdated": "2024-08-05T00:19:40.869Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to. (string)

}

]

metrics : [ »

0 : { »

cvssV3_0 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 5.9 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AC:L/AV:N/A:L/C:L/I:L/PR:H/S:C/UI:R (string)

version : 3.0 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2019-07-31T21:06:10 (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4 (string)

}

1 : { »

name : 20190730 VTS19-002: Multiple Vulnerabilities in Veritas Resiliency Platform (VRP) (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_FULLDISC (string)

]

url : http://seclists.org/fulldisclosure/2019/Jul/39 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2019-14415 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to. (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AC:L/AV:N/A:L/C:L/I:L/PR:H/S:C/UI:R (string)

version : 3.0 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4 (string)

refsource : MISC (string)

url : https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4 (string)

}

1 : { »

name : 20190730 VTS19-002: Multiple Vulnerabilities in Veritas Resiliency Platform (VRP) (string)

refsource : FULLDISC (string)

url : http://seclists.org/fulldisclosure/2019/Jul/39 (string)

}

2 : { »

name : http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html (string)

refsource : MISC (string)

url : http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T00:19:40.869Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4 (string)

}

1 : { »

name : 20190730 VTS19-002: Multiple Vulnerabilities in Veritas Resiliency Platform (VRP) (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_FULLDISC (string)

2 : x_transferred (string)

]

url : http://seclists.org/fulldisclosure/2019/Jul/39 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2019-14415 (string)

datePublished : 2019-07-29T19:04:45 (string)

dateReserved : 2019-07-29T00:00:00 (string)

dateUpdated : 2024-08-05T00:19:40.869Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veritas:resiliency_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "815D07F7-2DDE-4EFD-8C51-7E77EE6B7646", "versionEndExcluding": "3.3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:veritas:resiliency_platform:3.3.2:-:*:*:*:*:*:*", "matchCriteriaId": "C18635CA-3ED5-47AF-9416-E2CD4DADAFC0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Veritas Resiliencia Platform (VRP) anterior a versi\u00f3n 3.4 HF1. Una vulnerabilidad de tipo cross-site scripting (XSS) persistente permite a un usuario de VRP malicioso inyectar script malicioso en el navegador de otro usuario, relacionada con la funcionalidad de los planes de resiliencia. Una v\u00edctima debe abrir un plan de resiliencia al que un atacante tenga acceso."}], "id": "CVE-2019-14415", "lastModified": "2024-11-21T04:26:42.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "cve@mitre.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-29T20:15:12.233", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Jul/39"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Jul/39"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:veritas:resiliency_platform:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 815D07F7-2DDE-4EFD-8C51-7E77EE6B7646 (string)

versionEndExcluding : 3.3.2 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:veritas:resiliency_platform:3.3.2:-:*:*:*:*:*:* (string)

matchCriteriaId : C18635CA-3ED5-47AF-9416-E2CD4DADAFC0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality. A victim must open a resiliency plan that an attacker has access to. (string)

}

1 : { »

lang : es (string)

value : Se detectó un problema en Veritas Resiliencia Platform (VRP) anterior a versión 3.4 HF1. Una vulnerabilidad de tipo cross-site scripting (XSS) persistente permite a un usuario de VRP malicioso inyectar script malicioso en el navegador de otro usuario, relacionada con la funcionalidad de los planes de resiliencia. Una víctima debe abrir un plan de resiliencia al que un atacante tenga acceso. (string)

}

]

id : CVE-2019-14415 (string)

lastModified : 2024-11-21T04:26:42.647 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : LOW (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 3.5 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:S/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 6.8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 5.9 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (string)

version : 3.0 (string)

}

exploitabilityScore : 1.7 (number)

impactScore : 3.7 (number)

source : cve@mitre.org (string)

type : Secondary (string)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 4.8 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 1.7 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2019-07-29T20:15:12.233 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Broken Link (string)

1 : Mailing List (string)

2 : Third Party Advisory (string)

]

url : http://seclists.org/fulldisclosure/2019/Jul/39 (string)

}

2 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://packetstormsecurity.com/files/153842/Veritas-Resiliency-Platform-VRP-Traversal-Command-Execution.html (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Broken Link (string)

1 : Mailing List (string)

2 : Third Party Advisory (string)

]

url : http://seclists.org/fulldisclosure/2019/Jul/39 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://www.veritas.com/content/support/en_US/security/VTS19-002.html#Issue4 (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object