CVE-2014-3740 : Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbi

Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.

Published 2014-09-11 18:55:06

Updated 2018-10-10 20:09:49

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Exploit prediction scoring system (EPSS) score for CVE-2014-3740

Probability of exploitation activity in the next 30 days: 0.46%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 73 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-3740

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-3740

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3740

http://research.openflare.org/advisories/OF-2014-07/spiceworks_xss.txt

404 Not Found
Exploit
http://www.securityfocus.com/archive/1/532346/100/0/threaded

SecurityFocus
http://packetstormsecurity.com/files/126994/SpiceWorks-IT-Ticketing-System-Cross-Site-Scripting.html

SpiceWorks IT Ticketing System Cross Site Scripting ≈ Packet Storm
Exploit
http://packetstormsecurity.com/files/126596/SpiceWorks-7.2.00174-Cross-Site-Scripting.html

SpiceWorks 7.2.00174 Cross Site Scripting ≈ Packet Storm
Exploit
http://research.openflare.org/poc/OF-2014-07/spiceworks_crafted_ticket.mp4

404 Not Found
http://seclists.org/fulldisclosure/2014/Jun/42

Full Disclosure: CVE-2014-3740 - SpiceWorks Cross-site scripting
Exploit
http://www.exploit-db.com/exploits/33330

SpiceWorks 7.2.00174 - Persistent Cross-Site Scripting - Windows webapps Exploit
Exploit

Products affected by CVE-2014-3740

Spiceworks » Spiceworks
Versions up to, including, (<=) 7.2.00190
cpe:2.3:a:spiceworks:spiceworks:*:*:*:*:*:*:*:*
Matching versions
Spiceworks » Spiceworks » Version: 7.2.00189
cpe:2.3:a:spiceworks:spiceworks:7.2.00189:*:*:*:*:*:*:*
Matching versions
Spiceworks » Spiceworks » Version: 7.2.00174
cpe:2.3:a:spiceworks:spiceworks:7.2.00174:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-3740

Exploit prediction scoring system (EPSS) score for CVE-2014-3740

CVSS scores for CVE-2014-3740

CWE ids for CVE-2014-3740

References for CVE-2014-3740

Products affected by CVE-2014-3740