CVE-2018-16703

{"id": "CVE-2018-16703", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2018-09-07T17:29:01.020", "references": [{"url": "https://github.com/gleez/cms/issues/802", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-521"}, {"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI."}, {"lang": "es", "value": "Una vulnerabilidad en la p\u00e1gina de inicio de sesi\u00f3n de Gleez CMS 1.2.0 podr\u00eda permitir que un atacante remoto no autenticado realice m\u00faltiples enumeraciones de usuario, lo que puede ayudar a un atacante a realizar intentos de inicio de sesi\u00f3n que sobrepasan el l\u00edmite configurado de intentos de inicio de sesi\u00f3n. La vulnerabilidad se debe a un control de acceso insuficiente del lado del servidor y a una aplicaci\u00f3n insuficiente del l\u00edmite de intentos de inicio de sesi\u00f3n. Un atacante podr\u00eda explotar esta vulnerabilidad enviando intentos modificados de inicio de sesi\u00f3n a la p\u00e1gina de inicio de sesi\u00f3n del portal. Su explotaci\u00f3n podr\u00eda permitir que el atacante identifique a los usuarios existentes y realice ataques de adivinaci\u00f3n de contrase\u00f1a por fuerza bruta en el portal, tal y como queda demostrado navegando hasta el URI user/4."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gleeztech:gleez_cms:1.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B8DE79A-3439-4388-A4AF-A92B4F2BC185"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}