CVE-2018-13257

{"id": "CVE-2018-13257", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-11-18T16:15:11.447", "references": [{"url": "https://github.com/gluxon/CVE-2018-13257", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/gluxon/CVE-2018-13257", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service (CAS) service ticket validation, enabling a phishing attack from the CAS server login page."}, {"lang": "es", "value": "El m\u00f3dulo de autenticaci\u00f3n bb-auth-provider-cas dentro de Blackboard Learn versi\u00f3n 2018-07-02, es susceptible a una suplantaci\u00f3n de encabezado del host HTTP durante la comprobaci\u00f3n de tickets del servicio del Central Authentication Service (CAS), permitiendo un ataque de phishing desde la p\u00e1gina de inicio de sesi\u00f3n del servidor CAS."}], "lastModified": "2024-11-21T03:46:44.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blackboard:blackboard_learn:2018-07-02:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DEFCE90-BC5C-4F59-858C-2236A1F18116"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}