Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-18875 (GCVE-0-2018-18875)
Vulnerability from cvelistv5 – Published: 2019-06-18 14:29 – Updated: 2024-08-05 11:23
VLAI?
EPSS
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:29:39.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18875",
"datePublished": "2019-06-18T14:29:39.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-18875\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-06-18T15:15:11.313\",\"lastModified\":\"2024-11-21T03:56:47.960\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.\"},{\"lang\":\"es\",\"value\":\"En la versi\u00f3n de firmware MS_2.6.9900 de Columbia Weather MicroServer, una vulnerabilidad almacenada de secuencias de comandos entre sitios (XSS) permite a los usuarios identificados de forma remota inyectar secuencias de comandos web arbitrarias a trav\u00e9s de changestationname.php.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:columbiaweather:weather_microserver_firmware:ms_2.6.9900:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C30C79EF-E4AF-4295-989C-65E0C19D59F3\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:columbiaweather:weather_microserver:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"10FA303F-A9BC-43A0-9C9A-2362210FA0A0\"}]}]}],\"references\":[{\"url\":\"https://applied-risk.com/labs/advisories\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://applied-risk.com/labs/advisories\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
FKIE_CVE-2018-18875
Vulnerability from fkie_nvd - Published: 2019-06-18 15:15 - Updated: 2024-11-21 03:56
Severity ?
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://applied-risk.com/labs/advisories | Third Party Advisory | |
| cve@mitre.org | https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://applied-risk.com/labs/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| columbiaweather | weather_microserver_firmware | ms_2.6.9900 | |
| columbiaweather | weather_microserver | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:columbiaweather:weather_microserver_firmware:ms_2.6.9900:*:*:*:*:*:*:*",
"matchCriteriaId": "C30C79EF-E4AF-4295-989C-65E0C19D59F3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:columbiaweather:weather_microserver:-:*:*:*:*:*:*:*",
"matchCriteriaId": "10FA303F-A9BC-43A0-9C9A-2362210FA0A0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
},
{
"lang": "es",
"value": "En la versi\u00f3n de firmware MS_2.6.9900 de Columbia Weather MicroServer, una vulnerabilidad almacenada de secuencias de comandos entre sitios (XSS) permite a los usuarios identificados de forma remota inyectar secuencias de comandos web arbitrarias a trav\u00e9s de changestationname.php."
}
],
"id": "CVE-2018-18875",
"lastModified": "2024-11-21T03:56:47.960",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-18T15:15:11.313",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2018-18875
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-18875",
"description": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.",
"id": "GSD-2018-18875"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-18875"
],
"details": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.",
"id": "GSD-2018-18875",
"modified": "2023-12-13T01:22:36.641304Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:columbiaweather:weather_microserver_firmware:ms_2.6.9900:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:columbiaweather:weather_microserver:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18875"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2019-06-18T18:44Z",
"publishedDate": "2019-06-18T15:15Z"
}
}
}
CNVD-2019-07791
Vulnerability from cnvd - Published: 2019-03-22
VLAI Severity ?
Title
Columbia Weather Systems Weather MicroServer跨站脚本漏洞
Description
Columbia Weather Systems Weather MicroServer是美国Columbia Weather Systems公司的一款气象监测设备。
Columbia Weather Systems Weather MicroServer MS_2.6.9900及之前版本中存在跨站脚本漏洞,该漏洞源于程序未能正确地验证输入。远程攻击者可利用该漏洞执行任意的Web脚本。
Severity
中
Patch Name
Columbia Weather Systems Weather MicroServer跨站脚本漏洞的补丁
Patch Description
Columbia Weather Systems Weather MicroServer是美国Columbia Weather Systems公司的一款气象监测设备。
Columbia Weather Systems Weather MicroServer MS_2.6.9900及之前版本中存在跨站脚本漏洞,该漏洞源于程序未能正确地验证输入。远程攻击者可利用该漏洞执行任意的Web脚本。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,详情请关注厂商主页: https://columbiaweather.com/
Reference
https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02
Impacted products
| Name | Columbia Weather Systems Columbia Weather Systems Weather MicroServer <=MS_2.6.9900 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-18875"
}
},
"description": "Columbia Weather Systems Weather MicroServer\u662f\u7f8e\u56fdColumbia Weather Systems\u516c\u53f8\u7684\u4e00\u6b3e\u6c14\u8c61\u76d1\u6d4b\u8bbe\u5907\u3002\n\nColumbia Weather Systems Weather MicroServer MS_2.6.9900\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5730\u9a8c\u8bc1\u8f93\u5165\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u7684Web\u811a\u672c\u3002",
"discovererName": "John Elder and Tom Westenberg of Applied Risk",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://columbiaweather.com/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2019-07791",
"openTime": "2019-03-22",
"patchDescription": "Columbia Weather Systems Weather MicroServer\u662f\u7f8e\u56fdColumbia Weather Systems\u516c\u53f8\u7684\u4e00\u6b3e\u6c14\u8c61\u76d1\u6d4b\u8bbe\u5907\u3002\r\n\r\nColumbia Weather Systems Weather MicroServer MS_2.6.9900\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5730\u9a8c\u8bc1\u8f93\u5165\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u7684Web\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Columbia Weather Systems Weather MicroServer\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Columbia Weather Systems Columbia Weather Systems Weather MicroServer \u003c=MS_2.6.9900"
},
"referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"serverity": "\u4e2d",
"submitTime": "2019-03-20",
"title": "Columbia Weather Systems Weather MicroServer\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}
VAR-201906-0896
Vulnerability from variot - Updated: 2024-11-23 21:59In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php. Columbia Weather MicroServer Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ColumbiaWeatherSystemsWeatherMicroServer is a weather monitoring device from Columbia WeatherSystems, USA. A cross-site scripting vulnerability exists in ColumbiaWeatherSystemsWeatherMicroServerMS_2.6.9900 and earlier that caused the program to fail to validate input correctly. A remote attacker can exploit this vulnerability to execute arbitrary web scripts. A directory traversal vulnerability 2. Multiple cross-site scripting vulnerabilities 3. An authentication bypass vulnerability 4. A remote code-injection vulnerability 5. A denial-of-service vulnerability An attacker may leverage these issues to view arbitrary files within the context of the server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information or cause denial-of-service condition. This may aid in further attacks. The vulnerability stems from the lack of correct validation of client data in WEB applications
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0896",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "weather microserver",
"scope": "eq",
"trust": 1.0,
"vendor": "columbiaweather",
"version": "ms_2.6.9900"
},
{
"model": "microserver",
"scope": "eq",
"trust": 0.8,
"vendor": "columbia weather",
"version": "ms_2.6.9900"
},
{
"model": "weather systems columbia weather systems weather microserver \u003c=ms 2.6.9900",
"scope": null,
"trust": 0.6,
"vendor": "columbia",
"version": null
},
{
"model": "weather systems weather microserver ms 2.6.9900",
"scope": null,
"trust": 0.3,
"vendor": "columbia",
"version": null
},
{
"model": "weather systems weather microserver ms 2.7.9973",
"scope": "ne",
"trust": 0.3,
"vendor": "columbia",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "BID",
"id": "107495"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:columbiaweather:weather_microserver_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "John Elder and Tom Westenberg of Applied Risk.,John Elder and Tom Westenberg of Applied Risk reported these vulnerabilities to NCCIC.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
}
],
"trust": 0.6
},
"cve": "CVE-2018-18875",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "CVE-2018-18875",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-07791",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "VHN-129478",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"id": "CVE-2018-18875",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-18875",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2018-18875",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-07791",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201903-654",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-129478",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "VULHUB",
"id": "VHN-129478"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
},
{
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php. Columbia Weather MicroServer Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ColumbiaWeatherSystemsWeatherMicroServer is a weather monitoring device from Columbia WeatherSystems, USA. A cross-site scripting vulnerability exists in ColumbiaWeatherSystemsWeatherMicroServerMS_2.6.9900 and earlier that caused the program to fail to validate input correctly. A remote attacker can exploit this vulnerability to execute arbitrary web scripts. A directory traversal vulnerability\n2. Multiple cross-site scripting vulnerabilities\n3. An authentication bypass vulnerability\n4. A remote code-injection vulnerability\n5. A denial-of-service vulnerability\nAn attacker may leverage these issues to view arbitrary files within the context of the server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information or cause denial-of-service condition. This may aid in further attacks. The vulnerability stems from the lack of correct validation of client data in WEB applications",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-18875"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "BID",
"id": "107495"
},
{
"db": "VULHUB",
"id": "VHN-129478"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-18875",
"trust": 3.4
},
{
"db": "ICS CERT",
"id": "ICSA-19-078-02",
"trust": 3.4
},
{
"db": "BID",
"id": "107495",
"trust": 0.9
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201903-654",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-07791",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.0903",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-129478",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "VULHUB",
"id": "VHN-129478"
},
{
"db": "BID",
"id": "107495"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
},
{
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"id": "VAR-201906-0896",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "VULHUB",
"id": "VHN-129478"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
}
]
},
"last_update_date": "2024-11-23T21:59:50.956000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Weather MicroServer",
"trust": 0.8,
"url": "https://columbiaweather.com/products/weather-monitoring/microserver/"
},
{
"title": "Patch for Columbia WeatherSystemsWeatherMicroServer Cross-Site Scripting Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/156839"
},
{
"title": "Columbia Weather Systems Weather MicroServer Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90210"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129478"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.4,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-19-078-02"
},
{
"trust": 1.7,
"url": "https://applied-risk.com/labs/advisories"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18875"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18875"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/77442"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/107495"
},
{
"trust": 0.3,
"url": "https://columbiaweather.com/"
},
{
"trust": 0.3,
"url": "https://columbiaweather.com/products/weather-monitoring/microserver/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "VULHUB",
"id": "VHN-129478"
},
{
"db": "BID",
"id": "107495"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
},
{
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "VULHUB",
"id": "VHN-129478"
},
{
"db": "BID",
"id": "107495"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
},
{
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-03-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"date": "2019-06-18T00:00:00",
"db": "VULHUB",
"id": "VHN-129478"
},
{
"date": "2019-03-19T00:00:00",
"db": "BID",
"id": "107495"
},
{
"date": "2019-06-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"date": "2019-03-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201903-654"
},
{
"date": "2019-06-18T15:15:11.313000",
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-03-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"date": "2019-06-18T00:00:00",
"db": "VULHUB",
"id": "VHN-129478"
},
{
"date": "2019-03-19T00:00:00",
"db": "BID",
"id": "107495"
},
{
"date": "2019-06-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015656"
},
{
"date": "2019-06-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201903-654"
},
{
"date": "2024-11-21T03:56:47.960000",
"db": "NVD",
"id": "CVE-2018-18875"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Columbia Weather Systems Weather MicroServer Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-07791"
},
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201903-654"
}
],
"trust": 0.6
}
}
GHSA-CF8C-HQ3H-VJ64
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2022-05-24 16:48
VLAI?
Details
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.
{
"affected": [],
"aliases": [
"CVE-2018-18875"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-18T15:15:00Z",
"severity": "MODERATE"
},
"details": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.",
"id": "GHSA-cf8c-hq3h-vj64",
"modified": "2022-05-24T16:48:15Z",
"published": "2022-05-24T16:48:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18875"
},
{
"type": "WEB",
"url": "https://applied-risk.com/labs/advisories"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
ICSA-19-078-02
Vulnerability from csaf_cisa - Published: 2019-03-19 00:00 - Updated: 2019-03-19 00:00Summary
Columbia Weather Systems MicroServer
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation: Successful exploitation of these vulnerabilities may allow disclosure of data, cause a denial-of-service condition, and allow remote code execution.
Critical infrastructure sectors: Information Technology
Countries/areas deployed: United States
Company headquarters location: United States
Recommended Practices: NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices: NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
7.3 (High)
Vendor Fix
Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.
Vendor Fix
To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com
5.3 (Medium)
Vendor Fix
Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.
Vendor Fix
To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com
9.8 (Critical)
Vendor Fix
Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.
Vendor Fix
To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com
7.5 (High)
Vendor Fix
Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.
Vendor Fix
To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com
9.8 (Critical)
Vendor Fix
Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.
Vendor Fix
To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com
7.3 (High)
Vendor Fix
Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.
Vendor Fix
To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com
References
Acknowledgments
Applied Risk
John Elder
Tom Westenberg
{
"document": {
"acknowledgments": [
{
"names": [
"John Elder",
"Tom Westenberg"
],
"organization": "Applied Risk",
"summary": "reporting these vulnerabilities to NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities may allow disclosure of data, cause a denial-of-service condition, and allow remote code execution.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Information Technology",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "United States",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "United States",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-19-078-02 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-078-02.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-19-078-02 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-078-02"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Columbia Weather Systems MicroServer",
"tracking": {
"current_release_date": "2019-03-19T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-19-078-02",
"initial_release_date": "2019-03-19T00:00:00.000000Z",
"revision_history": [
{
"date": "2019-03-19T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-19-078-02 Columbia Weather Systems MicroServer"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= MS_2.6.9900",
"product": {
"name": "Weather MicroServer: firmware Version MS_2.6.9900 and prior",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Weather MicroServer"
}
],
"category": "vendor",
"name": "Columbia Weather Systems, Inc."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-18875",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "A cross-site scripting error exists that does not properly validate input, which may allow arbitrary web script to be executed.CVE-2018-18875 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18875"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"details": "To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2018-18876",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "A path traversal vulnerability exists that could allow an attacker read access to files within the directory structure of the target device.CVE-2018-18876 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18876"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"details": "To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2018-18877",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "An improper authentication vulnerability exists that could allow a possible authentication bypass, allowing an attacker to manipulate the device and cause a denial-of-service condition.CVE-2018-18877 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18877"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"details": "To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2018-18878",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "An improper input validation vulnerability exists allowing an attacker to craft the input in a form that is not expected by the rest of the application, causing a denial-of-service condition and the device to become unavailable.CVE-2018-18878 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18878"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"details": "To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2018-18879",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "A code injection vulnerability exists that could allow remote code execution.CVE-2018-18879 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18879"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"details": "To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
},
{
"cve": "CVE-2018-18880",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "A cross-site scripting error exists that does not properly validate input, which may allow arbitrary web script to be executed.CVE-2018-18880 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18880"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"details": "To upgrade Weather MicroServer, please contact Columbia Weather Systems:Phone: 503-629-0887 or email: support@columbiaweather.com",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…