CVE-2018-0787

Опубликовано: 13 мар. 2018

Источник: msrc

EPSS Низкий

Описание

ASP.NET Core Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when a Kestrel web application fails to validate web requests.

An attacker who successfully exploited this vulnerability could perform HTML injection attacks.

To exploit the vulnerability, an attacker could send a specially crafted request, containing injected HTML, to the web application. The specially crafted request would initiate a "password reset" email to the target user. Depending on the target user email client, the injected HTML could trigger as soon as the target user opens the "password reset" e-mail.

The security update addresses the vulnerability by correcting how a Kestrel web application validates web requests.

Обновления

Продукт	Статья	Обновление
ASP.NET Core 2.0		Security Update

Показывать по

Возможность эксплуатации

Publicly Disclosed

Exploited

Latest Software Release

Exploitation Less Likely

Older Software Release

N/A

EPSS

Процентиль: 92%

0.08682

Низкий

Связанные уязвимости

CVE-2018-0787

CVSS3: 8.8

nvd

больше 7 лет назад

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability".

GHSA-365p-96qv-xr7g

CVSS3: 8.8

github

больше 6 лет назад

ASP.NET Core allow an elevation of privilege

EPSS

Процентиль: 92%

0.08682

Низкий