CVE-2018-15658

{"id": "CVE-2018-15658", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-02-05T03:29:00.347", "references": [{"url": "https://research.digitalinterruption.com/2019/01/31/multiple-vulnerabilities-found-in-mobile-device-management-software/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 42Gears SureMDM before 2018-11-27. By visiting the page found at /console/ConsolePage/Master.html, an attacker is able to see the markup that would be presented to an authenticated user. This is caused by the session validation occurring after the initial markup is loaded. This results in a list of unprotected API endpoints that disclose call logs, SMS logs, and user-account data."}, {"lang": "es", "value": "Se ha descubierto un problema en 42Gears SureMDM en versiones anteriores al 27/11/2018. Al visitar la p\u00e1gina en /console/ConsolePage/Master.html, un atacante puede ver las marcas que se presentar\u00edan a un usuario autenticado. Esto viene provocado porque la validaci\u00f3n de sesiones que ocurre tras el marcado inicial est\u00e1 cargado. Esto resulta en una lista de endpoints de API sin proteger que revelan historiales de llamadas, mensajes de texto y datos de la cuenta de usuario."}], "lastModified": "2019-02-19T17:53:38.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:42gears:suremdm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8364603C-4810-4D54-867B-905EABDD5B0C", "versionEndExcluding": "2018-11-27"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}