CVE-2018-18985
published 2019-01-29CVE-2018-18985: Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions…
PriorityP425medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EPSS
0.97%
57.6th percentile
Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tridium | niagara | < 4.4.93.40.2 | 4.4.93.40.2 |
| tridium | niagara | — | — |
| tridium | niagara | >= 4.6 < 4.6.96.28.4 | 4.6.96.28.4 |
| tridium | niagara_ax_framework | < 3.8.401.1 | 3.8.401.1 |
| tridium | niagara_ax_framework | — | — |
| tridium | niagara_enterprise_security | < 2.3.118.6 | 2.3.118.6 |
| tridium | niagara_enterprise_security | — | — |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-76hj-25wr-pvgg: Tridium Niagara Enterprise Security 2
ghsa_unreviewed·2022-05-13
CVE-2018-18985 [MEDIUM] CWE-79 GHSA-76hj-25wr-pvgg: Tridium Niagara Enterprise Security 2
Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.
CISA ICS
Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4
cisa_ics·2019-01-10·CVSS 5.4
[MEDIUM] Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4
Last RevisedJanuary 10, 2019
Alert CodeICSA-18-333-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 5.7
- ATTENTION: Exploitable remotely/low skill level
- Vendor: Tridium
- Equipment: Niagara Enterprise Security, Niagara AX, and Niagara 4
- Vulnerability: Cross-site Scripting
## 2. REPOSTED INFORMATION
This advisory was originally posted to the HSIN ICS-CERT library on November 29, 2018, and is being released to the NCCIC/ICS-CERT website.
## 3. RISK EVALUATION
Successful exploitation of this vulnerability could allow a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-01-29
Published