Lucene search

MicrofocusCVELIST:CVE-2018-12464

HistoryJun 28, 2018 - 12:00 a.m.

CVE-2018-12464 Unauthenticated SQL injection in Micro Focus Secure Messaging Gateway

2018-06-2800:00:00

CWE-89

microfocus

www.cve.org

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.069 Low

EPSS

Percentile

94.0%

JSON

A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).

CNA Affected

[
  {
    "product": "Secure Messaging Gateway",
    "vendor": "Micro Focus",
    "versions": [
      {
        "lessThan": "471",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/

support.microfocus.com/kb/doc.php?id=7023132

www.exploit-db.com/exploits/45083/

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.069 Low

EPSS

Percentile

94.0%

JSON

Related for CVELIST:CVE-2018-12464