[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: CVE for services - already done? CVE-2017-10128

To : cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Subject : Re: CVE for services - already done? CVE-2017-10128
From : jericho < jericho@attrition.org >
Date : Thu, 16 Nov 2017 11:57:37 -0600
Authentication-results : spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
Delivery-date : Thu Nov 16 13:43:24 2017
Importance : high
In-reply-to : <CABqVa3-k3+6U4RdCSBVvAagE5Jiw9xXnbZqj0BcS3XUN_BECcQ@mail.gmail.com>
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : <CABqVa3-k3+6U4RdCSBVvAagE5Jiw9xXnbZqj0BcS3XUN_BECcQ@mail.gmail.com>
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput : 1:2
User-agent : Alpine 2.00 (LNX 1167 2008-08-23)

Looks like Cisco assigned 3 IDs for a service:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-res

From the CVE description:

Multiple vulnerabilities in the web interface of the Cisco
Registered
Envelope Service (a cloud-based service) could allow an
unauthenticated, remote attacker to conduct a cross-site scripting
(XSS) attack or redirect a user of the affected service to an
undesired
web page. The vulnerabilities are due to insufficient validation of
user-supplied input by the web-based management interface of the
affected service.

Was a decision made to include these in MITRE on a board call? I don't
recall a formal announcement or a vote on that topic, but there has
been
extensive discussion with a lot of mixed feelings.

Brian

On Wed, 18 Oct 2017, Kurt Seifried wrote:

: Vulnerability in the Hospitality WebSuite8 Cloud Service component of
: Oracle Hospitality Applications (subcomponent: General). Supported
versions
: that are affected are 8.9.6 and 8.10.x. Easily exploitable
vulnerability
: allows unauthenticated attacker with network access via HTTP to
compromise
: Hospitality WebSuite8 Cloud Service. Successful attacks require human
: interaction from a person other than the attacker and while the
: vulnerability is in Hospitality WebSuite8 Cloud Service, attacks may
: significantly impact additional products. Successful attacks of this
: vulnerability can result in unauthorized update, insert or delete
access to
: some of Hospitality WebSuite8 Cloud Service accessible data as well as
: unauthorized read access to a subset of Hospitality WebSuite8 Cloud
Service
: accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and
Integrity
: impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
:
: https://www.oracle.com/industries/hospitality/products/websuite8.html
:
: Oracle Hospitality WebSuite8 is cloud-based hotel software designed
for
: small hotels and guest and boarding houses. The solution enables
efficient
: guest and room management while increasing online revenue through an
: integrated booking engine and channel manager solution. This product
is
: available in the EMEA and JAPAC regions only.
:
: So I guess we're doing cloud services now =) or should this be
rejected, or?
:
: --
: Kurt Seifried
: kurt@seifried.org
:

Prev by Date: Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
Next by Date: Good quote on CVE/github
Previous by thread: Canceled: Bi-Weekly CVE Board Meeting
Next by thread: Good quote on CVE/github
Index(es):
- Date
- Thread