CVE-2018-1000611

EUVD-2018-1948
SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains a Cross Site Scripting (XSS) vulnerability that can result in Allows an attacker to inject arbitrary web scripts or HTML into help and login pages. This attack appear to be exploitable via the victim opening a specially crafted URL.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Affected Products (NVD)
VendorProductVersion
openconextopenconext_engineblock
5.7.0 ≤
𝑥
≤ 5.7.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/OpenConext/OpenConext-engineblock/pull/563/files
https://github.com/OpenConext/OpenConext-engineblock/pull/563/files