Lucene search

MicrofocusCVE-2017-7422

HistoryAug 21, 2017 - 3:29 p.m.

CVE-2017-7422

2017-08-2115:29:00

CWE-79

microfocus

web.nvd.nist.gov

cve-2017-7422

esfadmingui

micro focus

enterprise developer

enterprise server

xss

cwe-79

cwe-693

security

vulnerability

nvd

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in esfadmingui in Micro Focus Enterprise Developer and Enterprise Server 2.3, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allow remote authenticated attackers to bypass protection mechanisms (CWE-693) and other security features, if this component is configured. Note esfadmingui is not enabled by default.

Affected configurations

Nvd

Node

microfocusenterprise_developerMatch2.3

microfocusenterprise_developerMatch2.3update1

microfocusenterprise_developerMatch2.3update2

microfocusenterprise_serverMatch2.3

microfocusenterprise_serverMatch2.3update1

microfocusenterprise_serverMatch2.3update2

VendorProductVersionCPE
microfocusenterprise_developer2.3cpe:2.3:a:microfocus:enterprise_developer:2.3:*:*:*:*:*:*:*
microfocusenterprise_developer2.3cpe:2.3:a:microfocus:enterprise_developer:2.3:update1:*:*:*:*:*:*
microfocusenterprise_developer2.3cpe:2.3:a:microfocus:enterprise_developer:2.3:update2:*:*:*:*:*:*
microfocusenterprise_server2.3cpe:2.3:a:microfocus:enterprise_server:2.3:*:*:*:*:*:*:*
microfocusenterprise_server2.3cpe:2.3:a:microfocus:enterprise_server:2.3:update1:*:*:*:*:*:*
microfocusenterprise_server2.3cpe:2.3:a:microfocus:enterprise_server:2.3:update2:*:*:*:*:*:*

Vendor	Product	Version	CPE
microfocus	enterprise_developer	2.3	cpe:2.3:a:microfocus:enterprise_developer:2.3:::::::*
microfocus	enterprise_developer	2.3	cpe:2.3:a:microfocus:enterprise_developer:2.3:update1::::::
microfocus	enterprise_developer	2.3	cpe:2.3:a:microfocus:enterprise_developer:2.3:update2::::::
microfocus	enterprise_server	2.3	cpe:2.3:a:microfocus:enterprise_server:2.3:::::::*
microfocus	enterprise_server	2.3	cpe:2.3:a:microfocus:enterprise_server:2.3:update1::::::
microfocus	enterprise_server	2.3	cpe:2.3:a:microfocus:enterprise_server:2.3:update2::::::

CNA Affected

[
  {
    "product": "Micro Focus Enterprise Developer, Micro Focus Enterprise Server",
    "vendor": "Micro Focus",
    "versions": [
      {
        "status": "affected",
        "version": "2.3 before 2.3 Update 1, 2.3 Update 1 before Hotfix 8, 2.3 Update 2 before Hotfix 9"
      }
    ]
  }
]

References

community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29131/enterprise-server-security-fixes-july-2017

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

Related for CVE-2017-7422