CVE-2018-12703

{"id": "CVE-2018-12703", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-06-25T10:29:00.267", "references": [{"url": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://peckshield.com/2018/06/23/evilReflex/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://peckshield.com/2018/06/23/evilReflex/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The approveAndCallcode function of a smart contract implementation for Block 18 (18T), an tradable Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the \"evilReflex\" issue. NOTE: a PeckShield disclosure states \"some researchers have independently discussed the mechanism of such vulnerability.\""}, {"lang": "es", "value": "La funci\u00f3n approveAndCallcode de una implementaci\u00f3n de contrato inteligente para Block 18 (18T), un token de Ethereum ERC20 intercambiable, permite que los atacantes roben activos (por ejemplo, transfiriendo el saldo del contrato en su cuenta) debido a que el c\u00f3digo de llamada, como _spender.call(_extraData), no est\u00e1 verificado. Esto tambi\u00e9n se conoce como problema \"evilReflex\". NOTA: un comunicado de PeckShield indica que \"algunos investigadores han discutido de forma independiente el mecanismo de esta vulnerabilidad\"."}], "lastModified": "2024-11-21T03:45:42.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:block18:block18:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1684A30-4013-4E5F-9F02-68C91E84DEFD"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}