CVE-2018-3815

{"id": "CVE-2018-3815", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2018-01-08T05:29:00.290", "references": [{"url": "https://packetstormsecurity.com/files/145724/communigatepro62-spoof", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "The \"XML Interface to Messaging, Scheduling, and Signaling\" (XIMSS) protocol implementation in CommuniGate Pro (CGP) 6.2 suffers from a Missing XIMSS Protocol Validation attack that leads to an email spoofing attack, allowing a malicious authenticated attacker to send a message from any source email address. The attack uses an HTTP POST request to a /Session URI, and interchanges the XML From and To elements."}, {"lang": "es", "value": "La implementaci\u00f3n en el protocolo XIMSS (XML Interface to Messaging, Scheduling, and Signaling) en CommuniGate Pro (CGP) 6.2 sufre un ataque basado en la ausencia de validaci\u00f3n del protocolo XIMSS que conduce a un ataque de suplantaci\u00f3n de email, permitiendo a un atacante autenticado malicioso enviar un mensaje desde cualquier direcci\u00f3n de correo. El ataque utiliza una petici\u00f3n HTTP POST a la URI /Session e intercambia los elementos XML \"From\" y \"To\"."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:stalker:communigate_pro:6.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7885559-32A6-44CD-A2F3-E155762813B5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}