CVE-2019-17120

high-risk
Published 2019-10-17

A stored and reflected cross-site scripting (XSS) vulnerability in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML via /WiKIDAdmin/adm_usrs.jsp. The usr parameter is vulnerable: the reflected cross-site scripting occurs immediately after the user is created. The malicious script is stored and will be executed whenever /WiKIDAdmin/adm_usrs.jsp is visited.

Do I need to act?

~
6.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (20)

2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server
2Fa Enterprise Server

Affected Vendors

Wikidsystems

References (6)

Exploit http://packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-...
Exploit http://seclists.org/fulldisclosure/2019/Oct/35
Exploit https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scri...
Exploit http://packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-...
Exploit http://seclists.org/fulldisclosure/2019/Oct/35
Exploit https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scri...
57
/ 100
high-risk
Severity 23/34 · High
Exploitability 9/34 · Low
Exposure 25/34 · High