CVE-2018-11808

Опубликовано: 06 июн. 2018

Источник: nvd

CVSS3: 9.1

CVSS2: 10

EPSS Низкий

Описание

Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.

Ссылки

http://www.securityfocus.com/bid/104467
Third Party Advisory
VDB Entry
https://github.com/kactrosN/publicdisclosures
Third Party Advisory
https://www.manageengine.com/products/applications_manager/issues.html
Release Notes
Vendor Advisory
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-11808.html
http://www.securityfocus.com/bid/104467
Third Party Advisory
VDB Entry
https://github.com/kactrosN/publicdisclosures
Third Party Advisory
https://www.manageengine.com/products/applications_manager/issues.html
Release Notes
Vendor Advisory
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-11808.html

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:zohocorp:manageengine_applications_manager:13:*:*:*:*:*:*:*

EPSS

Процентиль: 88%

0.0423

Низкий

9.1 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-20

Связанные уязвимости

GHSA-rh5r-wvg8-j97g