CVE-2018-18985

moderate-risk
Published 2019-01-29

Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (6)

Niagara
Niagara
Niagara Enterprise Security
Niagara Enterprise Security

Affected Vendors

Tridium

References (4)

Third Party Advisory http://www.securityfocus.com/bid/106530
Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02
Third Party Advisory http://www.securityfocus.com/bid/106530
Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-18-333-02
34
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 13/34 · Low