Oracle Primavera Gateway up to 16.2.11/17.12.8 Admin cross site scripting

entryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Oracle Primavera Gateway up to 16.2.11/17.12.8. It has been rated as very critical. Affected by this issue is an unknown code block of the component Admin. Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Field11/21/2020 07:36 AM11/22/2020 08:50 PM11/22/2020 08:55 PM
risk222
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cHHH
cvss3_vuldb_iHHH
cvss3_vuldb_aHHH
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
version<=16.2.11/17.12.8<=16.2.11/17.12.8<=16.2.11/17.12.8
urlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.html
date160314480016031448001603144800
identifierOracle Critical Patch Update Advisory - October 2020Oracle Critical Patch Update Advisory - October 2020Oracle Critical Patch Update Advisory - October 2020
nameUpgradeUpgradeUpgrade
date160314480016031448001603144800
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auNNN
cvss2_vuldb_ciCCC
cvss2_vuldb_iiCCC
cvss2_vuldb_aiCCC
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlNDNDND
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore10.010.010.0
cvss2_vuldb_tempscore8.78.78.7
cvss3_vuldb_basescore9.89.89.8
cvss3_vuldb_tempscore9.49.49.4
cvss3_meta_basescore9.89.89.8
cvss3_meta_tempscore9.49.49.4
price_0day$5k-$25k$5k-$25k$5k-$25k
vendorOracleOracleOracle
namePrimavera GatewayPrimavera GatewayPrimavera Gateway
cveCVE-2019-17495CVE-2019-17495CVE-2019-17495
componentAdminAdminAdmin
cvss2_nvd_basescore7.57.57.5
cvss3_nvd_basescore9.89.89.8
cve_assigned15706584001570658400
cve_nvd_summaryA Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.
cwe79
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP

Do you need the next level of professionalism?

Upgrade your account now!