CVE-2024-5410
published 2024-05-28CVE-2024-5410: Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.
PriorityP335medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
13.16%
95.9th percentile
Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oring | iap-420 | <= 2.01e | — |
| oringnet | iap-420_firmware | <= 2.01e | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_oracle7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
ORing IAP-420
cisa_ics·2025-02-13·CVSS 8.3
[HIGH] ORing IAP-420
ICS Advisory
##
ORing IAP-420
Release DateFebruary 13, 2025
Alert CodeICSA-25-044-15
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.6
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: ORing
- Equipment: IAP-20
- Vulnerabilities: Cross-site Scripting, Command Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to invoke commands to compromise the device via the management interface.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following ORing products are affected:
- IAP-420: Versions 2.01e and prior
## 3.2 VULNERABILITY OVERVIEW
## 3.2.1 IMPROPER NEUTRALIZATI
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Common (Spring Cloud Config) — CVE-2020-5410
vendor_oracle·2024-01-15·CVSS 7.5
CVE-2020-5410 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Common (Spring Cloud Config) — CVE-2020-5410
Oracle Oracle Financial Services Applications Risk Matrix: Common (Spring Cloud Config) vulnerability
CVE: CVE-2020-5410
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Suricata
ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5410)
suricata·2020-06-15·CVSS 7.5
CVE-2020-5410 [HIGH] ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5410)
ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5410)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5410)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/..%252F..%252F"; nocase; fast_pattern; reference:url,xz.aliyun.com/t/7877; reference:cve,2020-5410; classtype:attempted-admin; sid:2030337; rev:2; metadata:affected_product VMware, created_at 2020_06_15, cve CVE_2020_5410, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery
No public exploits indexed.
No writeups or analysis indexed.
2024-05-28
Published