CVE-2018-7064

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.4%

top 42.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Aruba Instant Siemens Scalance W1750d Firmware

Timeline

PublishedMay 10

Latest updateMay 24

Description

A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session cookie for an administrative session. Workaround: Administrators should make sure they log out of the Aruba Instant UI when not actively managing the system, and should use caution clicking links from e…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDarubanetworks/aruba_instant4.0 — 4.2.4.12+3

▶CVEListV5aruba_instant_(iap)Aruba Instant 4.x prior to 6.4.4.8 - 4.2.4.12 Aruba Instant 6.5.x prior to 6.5.4.11 Aruba Instant 8.3.x prior to 8.3.0.6 Aruba Instant 8.4.x prior to 8.4.0.1

▶NVDsiemens/scalance_w1750d_firmware< 8.4.0.1

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-h438-gvrc-w5f9: A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface↗2022-05-24

▶

CVEList

CVE-2018-7064: A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface↗2019-05-10

▶