DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2018-18864", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2018-18864", "description": "Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed.", "published": "2018-11-20T19:29:00", "modified": "2018-12-31T19:43:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18864", "reporter": "cve@mitre.org", "references": ["http://seclists.org/fulldisclosure/2018/Nov/5", "http://packetstormsecurity.com/files/150135/Loadbalancer.org-Enterprise-VA-MAX-Cross-Site-Scripting.html"], "cvelist": ["CVE-2018-18864"], "immutableFields": [], "lastseen": "2023-02-09T14:18:30", "viewCount": 16, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:150135"]}], "rev": 4}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:150135"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "loadbalancer enterprise va max", "version": 8}]}, "epss": [{"cve": "CVE-2018-18864", "epss": "0.007240000", "percentile": "0.776550000", "modified": "2023-03-14"}], "vulnersScore": 0.4}, "_state": {"dependencies": 1675955419, "score": 1675954691, "affected_software_major_version": 1677276084, "epss": 1678871962}, "_internal": {"score_hash": "e0727086779f8673c9d2a971a1f603c5"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "loadbalancer:enterprise_va_max", "version": "8.3.3", "operator": "lt", "name": "loadbalancer enterprise va max"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:loadbalancer:enterprise_va_max:8.3.3:*:*:*:*:*:*:*", "versionEndExcluding": "8.3.3", "cpe_name": []}]}]}, "extraReferences": [{"url": "http://seclists.org/fulldisclosure/2018/Nov/5", "name": "20181102 Loadbalancer.org Enterprise VA MAX - Unauthenticated Stored XSS", "refsource": "FULLDISC", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/150135/Loadbalancer.org-Enterprise-VA-MAX-Cross-Site-Scripting.html", "name": "http://packetstormsecurity.com/files/150135/Loadbalancer.org-Enterprise-VA-MAX-Cross-Site-Scripting.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}], "product_info": [{"vendor": "Loadbalancer", "product": "Enterprise_va_max"}]}

{"packetstorm": [{"lastseen": "2018-11-05T18:19:57", "description": "", "cvss3": {}, "published": "2018-11-02T00:00:00", "type": "packetstorm", "title": "Loadbalancer.org Enterprise VA MAX Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-18864"], "modified": "2018-11-02T00:00:00", "id": "PACKETSTORM:150135", "href": "https://packetstormsecurity.com/files/150135/Loadbalancer.org-Enterprise-VA-MAX-Cross-Site-Scripting.html", "sourceData": "`Title: Loadbalancer.org Enterprise VA MAX - Unauthenticated Stored XSS \nAuthor: Jakub Palaczynski \nDate: 24. July 2018 \nCVE: CVE-2018-18864 \n \nAffected product: \n============= \n \nLoadbalancer.org Enterprise VA MAX before 8.3.3 \n \nImpact: \n====== \nRemote Code Execution with root privileges. \n \n \nVulnerability - Unauthenticated Stored XSS: \n=================================== \n \nTwo instances of Unauthenticated Stored XSS issue were identified in \nLoadbalancer.org Enterprise VA MAX: \n \n1. Application takes input from Basic Auth (username) and stores it without \nany validation in \"Apache Error Log\". \nThis instance works only on HTTPS port. \n \n2. It is possible to inject custom JavaScript code by accessing URL like \n/?<XSS>. \nSuch JavaScript is stored in \"Apache User Log\". \nIt works on both - HTTP and HTTPS ports. \n \nContact: \n======== \n \nJakub[dot]Palaczynski[at]gmail[dot]com \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150135/lbevm-xss.txt"}]}