{"api_version":"1","generated_at":"2026-07-17T18:50:47+00:00","cve":"CVE-2018-11074","urls":{"html":"https://cve.report/CVE-2018-11074","api":"https://cve.report/api/cve/CVE-2018-11074.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-11074","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-11074"},"summary":{"title":"CVE-2018-11074","description":"RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application.","state":"PUBLIC","assigner":"security_alert@emc.com","published_at":"2018-09-28 18:29:00","updated_at":"2020-03-27 14:07:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://seclists.org/fulldisclosure/2018/Sep/39","name":"20180921 DSA-2018-152: RSA Authentication Manager Multiple Vulnerabilities","refsource":"FULLDISC","tags":["Mailing List","Third Party Advisory"],"title":"Full Disclosure: DSA-2018-152: RSA® Authentication Manager Multiple Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1041697","name":"1041697","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"RSA Authentication Manager Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105410","name":"105410","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"EMC RSA Authentication Manager Cross Site Scripting and HTML Injection Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-11074","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11074","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"RSA would like to thank Mantas Juskauskas from SEC Consult Vulnerability for reporting CVE-2018-11074.","lang":""}],"nvd_cpes":[{"cve_year":"2018","cve_id":"11074","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"emc","cpe5":"rsa_authentication_manager","cpe6":"8.3","cpe7":"p1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"11074","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"emc","cpe5":"rsa_authentication_manager","cpe6":"8.3","cpe7":"p2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"11074","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"emc","cpe5":"rsa_authentication_manager","cpe6":"8.3","cpe7":"p1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"11074","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"emc","cpe5":"rsa_authentication_manager","cpe6":"8.3","cpe7":"p2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"11074","vulnerable":"1","versionEndIncluding":"8.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rsa","cpe5":"authentication_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security_alert@emc.com","DATE_PUBLIC":"2018-09-21T17:00:00.000Z","ID":"CVE-2018-11074","STATE":"PUBLIC","TITLE":"DSA-2018-152: RSA® Authentication Manager Multiple Vulnerabilities"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Authentication Manager","version":{"version_data":[{"affected":"<","version_value":"8.3 P3"}]}}]},"vendor_name":"RSA"}]}},"credit":[{"lang":"eng","value":"RSA would like to thank Mantas Juskauskas from SEC Consult Vulnerability for reporting CVE-2018-11074."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"DOM-based cross-site scripting vulnerability"}]}]},"references":{"reference_data":[{"name":"20180921 DSA-2018-152: RSA Authentication Manager Multiple Vulnerabilities","refsource":"FULLDISC","url":"https://seclists.org/fulldisclosure/2018/Sep/39"},{"name":"1041697","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041697"},{"name":"105410","refsource":"BID","url":"http://www.securityfocus.com/bid/105410"}]},"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2018-09-28 18:29:00","lastModifiedDate":"2020-03-27 14:07:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rsa:authentication_manager:*:*:*:*:*:*:*:*","versionEndIncluding":"8.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:emc:rsa_authentication_manager:8.3:p1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:emc:rsa_authentication_manager:8.3:p2:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"11074","Ordinal":"127533","Title":"CVE-2018-11074","CVE":"CVE-2018-11074","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"11074","Ordinal":"1","NoteData":"RSA Authentication Manager versions prior to 8.3 P3 are affected by a DOM-based cross-site scripting vulnerability which exists in its embedded MadCap Flare Help files. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the browser DOM, which code is then executed by the web browser in the context of the vulnerable web application.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"11074","Ordinal":"2","NoteData":"2018-09-28","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"11074","Ordinal":"3","NoteData":"2018-10-02","Type":"Other","Title":"Modified"}]}}}