CVE-2018-1000536

{"id": "CVE-2018-1000536", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2018-06-26T16:29:02.040", "references": [{"url": "https://github.com/luin/medis/issues/109", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/luin/medis/issues/109", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key creation that can result in Unauthorized code execution in the victim's machine, within the rights of the running application. This attack appear to be exploitable via Victim is synchronizing data from the redis server which contains malicious key value."}, {"lang": "es", "value": "Medis en versiones 0.6.1 y anteriores contiene una vulnerabilidad Cross-Site Scripting (XSS) que evoluciona a una ejecuci\u00f3n de c\u00f3digo debido a que se habilita nodeIntegration para la vulnerabilidad del proceso renderer en el par\u00e1metro key name durante la creaci\u00f3n de nuevas claves. Esto puede resultar en la ejecuci\u00f3n de c\u00f3digo no autorizado en la m\u00e1quina de la v\u00edctima con los derechos de la aplicaci\u00f3n en ejecuci\u00f3n. El ataque parece ser explotable si una v\u00edctima sincroniza datos desde el servidor redis que contiene valores de clave maliciosos."}], "lastModified": "2024-11-21T03:40:08.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:getmedis:medis:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C383BAB-CD05-45CF-9B09-0B2E7CDDEB65", "versionEndIncluding": "0.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}