CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.4%
Navarino Infinity web interface up to version 2.2 is affected by multiple vulnerabilities.
CWE-89**: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) -**CVE-2018-5384
| Navarino Infinity exposes an unauthenticated script that is prone to blind sql injection.
| CWE-384**:**** Session Fixation -**CVE-2018-5385
CWE-288**: Authentication Bypass Using an Alternate Path or Channel -**CVE-2018-5386
Some Navarino Infinity functions placed in the URL can bypass any authentication mechanism leading to an information leak.
A remote, unauthenticated attacker may be able to bypass authentication and perform some administrative functions or perform SQL injection.
According to the vendor’s website, the hotfix has been made available to all Infinity users.
184077
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: March 26, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 8.7 | E:–/RL:OF/RC:C |
Environmental | 8.7 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
Thanks to Vangelis Stykas for reporting this vulnerability.
This document was written by Noelle Allon.
CVE IDs: | CVE-2018-5384, CVE-2018-5385, CVE-2018-5386 |
---|---|
Date Public: | 2018-02-07 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.4%