Show plain JSON{"id": "CVE-2018-7718", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2018-11-08T21:29:00.200", "references": [{"url": "https://www.dropbox.com/s/6tlee2uj3t3su8n/Telexy-QPath-CVE-2018-7718.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.dropbox.com/s/6tlee2uj3t3su8n/Telexy-QPath-CVE-2018-7718.pdf", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Telexy QPath 5.4.462. A low privileged authenticated user supplying a specially crafted serialized request to AdanitDataService.svc may modify user information, including but not limited to email address, username, and password, of other user accounts. The simplest attack approach is for the attacker to intercept their own password-change request and modify the username before the request reaches the server. Also, changing a victim's email address can have a similar account-takeover consequence."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Telexy QPath 5.4.462. Un usuario autentificado con bajos privilegios que proporcione una petici\u00f3n serializada especialmente dise\u00f1ada a AdanitDataService.svc puede modificar la informaci\u00f3n del usuario, incluyendo pero no limit\u00e1ndose a la direcci\u00f3n de correo electr\u00f3nico, el nombre de usuario y la contrase\u00f1a de otras cuentas de usuario. El m\u00e9todo de ataque m\u00e1s sencillo es que el atacante intercepte su propia solicitud de cambio de contrase\u00f1a y modifique el nombre de usuario antes de que la solicitud llegue al servidor. Adem\u00e1s, cambiar la direcci\u00f3n de correo electr\u00f3nico de una v\u00edctima puede tener una consecuencia similar: la apropiaci\u00f3n de la cuenta."}], "lastModified": "2024-11-21T04:12:35.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:telexy:qpath:5.4.462:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F83FB2A-A834-4F78-B8CD-1A789519B863"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"} 