CVE-2018-15656

{"id": "CVE-2018-15656", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-02-05T03:29:00.267", "references": [{"url": "https://research.digitalinterruption.com/2019/01/31/multiple-vulnerabilities-found-in-mobile-device-management-software/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the registration API endpoint in 42Gears SureMDM before 2018-11-27. An attacker can submit a GET request to /api/register/:email, where :email is a base64 encoded e-mail address, to receive confirmation as to whether a user account exists in the system with the specified e-mail address. The request must be made with an \"apiKey\" value in the \"ApiKey\" header."}, {"lang": "es", "value": "Se ha descubierto un problema en el endpoint de la API de registro en 42Gears SureMDM antes del 27/11/2018. Un atacante puede enviar una petici\u00f3n GET a /api/register/:email, donde :email es una direcci\u00f3n de correo electr\u00f3nico cifrado en base64, para recibir confirmaci\u00f3n de si existe una cuenta de usuario en el sistema con la direcci\u00f3n de correo especificada. La petici\u00f3n debe realizarse con un valor \"apiKey\" en la cabecera \"ApiKey\"."}], "lastModified": "2019-02-19T17:54:57.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:42gears:suremdm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8364603C-4810-4D54-867B-905EABDD5B0C", "versionEndExcluding": "2018-11-27"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}