|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE for services - already done? CVE-2017-10128
- To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: Re: CVE for services - already done? CVE-2017-10128
- From: jericho <jericho@attrition.org>
- Date: Thu, 16 Nov 2017 11:57:37 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Delivery-date: Thu Nov 16 13:43:24 2017
- Importance: high
- In-reply-to: <CABqVa3-k3+6U4RdCSBVvAagE5Jiw9xXnbZqj0BcS3XUN_BECcQ@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa3-k3+6U4RdCSBVvAagE5Jiw9xXnbZqj0BcS3XUN_BECcQ@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
Looks like Cisco assigned 3 IDs for a service: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-res From the CVE description: Multiple vulnerabilities in the web interface of the Cisco Registered Envelope Service (a cloud-based service) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack or redirect a user of the affected service to an undesired web page. The vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of the affected service. Was a decision made to include these in MITRE on a board call? I don't recall a formal announcement or a vote on that topic, but there has been extensive discussion with a lot of mixed feelings. Brian On Wed, 18 Oct 2017, Kurt Seifried wrote: : Vulnerability in the Hospitality WebSuite8 Cloud Service component of : Oracle Hospitality Applications (subcomponent: General). Supported versions : that are affected are 8.9.6 and 8.10.x. Easily exploitable vulnerability : allows unauthenticated attacker with network access via HTTP to compromise : Hospitality WebSuite8 Cloud Service. Successful attacks require human : interaction from a person other than the attacker and while the : vulnerability is in Hospitality WebSuite8 Cloud Service, attacks may : significantly impact additional products. Successful attacks of this : vulnerability can result in unauthorized update, insert or delete access to : some of Hospitality WebSuite8 Cloud Service accessible data as well as : unauthorized read access to a subset of Hospitality WebSuite8 Cloud Service : accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity : impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). : : https://www.oracle.com/industries/hospitality/products/websuite8.html : : Oracle Hospitality WebSuite8 is cloud-based hotel software designed for : small hotels and guest and boarding houses. The solution enables efficient : guest and room management while increasing online revenue through an : integrated booking engine and channel manager solution. This product is : available in the EMEA and JAPAC regions only. : : So I guess we're doing cloud services now =) or should this be rejected, or? : : -- : Kurt Seifried : kurt@seifried.org :
- Prev by Date: Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
- Next by Date: Good quote on CVE/github
- Previous by thread: Canceled: Bi-Weekly CVE Board Meeting
- Next by thread: Good quote on CVE/github
- Index(es):