Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2018-11091
HistoryMay 14, 2018 - 11:29 p.m.

CVE-2018-11091

2018-05-1423:29:00
CWE-434
[email protected]
web.nvd.nist.gov
4

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

54.7%

JSON

An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the “HiddenFieldControlCustomWhiteListedExtensions” parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the “HiddenFieldControlCustomWhiteListedExtensions” parameter, the server accepts “secctest.asp” as a legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server.

Affected configurations

Nvd
Node
mybizmyprocurenetMatch5.0.0
VendorProductVersionCPE
mybizmyprocurenet5.0.0cpe:2.3:a:mybiz:myprocurenet:5.0.0:*:*:*:*:*:*:*

Related

cvelist 1
cve 1
prion 1
zdt 1
oraclelinux 2
nessus 1
freebsd 1
freebsd_advisory 1
mskb 1
openvas 8
cvelist
cvelist
CVE-2018-11091
2018-05-14 23:00:00
cve
cve
CVE-2018-11091
2018-05-14 23:29:00
prion
prion
Design/Logic Flaw
2018-05-14 23:29:00
zdt
zdt
MyBiz MyProcureNet 5.0.0 File Upload / Cross Site Scripting Vulnerabilities
2018-05-15 00:00:00
oraclelinux
oraclelinux
virt:rhel security update
2019-07-30 00:00:00
virt:rhel security update
2019-07-30 00:00:00
nessus
nessus
FreeBSD : FreeBSD -- Intel CPU Microcode Update (fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Spectre)
2019-11-26 00:00:00
freebsd
freebsd
FreeBSD -- Intel CPU Microcode Update
2019-11-14 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-19:26.mcu
2019-11-12 00:00:00
mskb
mskb
KB4073065: Surface guidance to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities
2018-05-21 07:00:00
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4499164)
2019-05-15 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4499151)
2019-05-15 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4499154)
2019-05-15 00:00:00

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

54.7%

JSON
Related for NVD:CVE-2018-11091
cvelist1cve1prion1zdt1oraclelinux2nessus1freebsd1freebsd_advisory1mskb1openvas8