CVE-2018-5329

ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://becomepentester.blogspot.com/2018/01/ZUUSE-BEIMS-ContractorWeb-CSRF-CVE-2018-5329.html	Exploit Third Party Advisory
https://becomepentester.blogspot.com/2018/01/ZUUSE-BEIMS-ContractorWeb-CSRF-CVE-2018-5329.html	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:beims:contractorweb.net:5.18.0.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:08

Type	Values Removed	Values Added
References	~~() https://becomepentester.blogspot.com/2018/01/ZUUSE-BEIMS-ContractorWeb-CSRF-CVE-2018-5329.html - Exploit, Third Party Advisory~~	() https://becomepentester.blogspot.com/2018/01/ZUUSE-BEIMS-ContractorWeb-CSRF-CVE-2018-5329.html - Exploit, Third Party Advisory

Information

Published : 2018-01-15 21:29

Updated : 2024-11-21 04:08

NVD link : CVE-2018-5329

Mitre link : CVE-2018-5329

CVE.ORG link : CVE-2018-5329

JSON object : View

Products Affected

beims

contractorweb.net

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2018-5329", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2018-01-15T21:29:00.250", "references": [{"url": "https://becomepentester.blogspot.com/2018/01/ZUUSE-BEIMS-ContractorWeb-CSRF-CVE-2018-5329.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://becomepentester.blogspot.com/2018/01/ZUUSE-BEIMS-ContractorWeb-CSRF-CVE-2018-5329.html", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application."}, {"lang": "es", "value": "ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 es vulnerable a Cross-Site Request Forgery (CSRF) en p\u00e1ginas autenticadas /CWEBNET/*. Un ataque CSRF exitoso puede forzar al usuario a modificar el estado: crear usuarios o cambiar una direcci\u00f3n de email, entre otros. Si la v\u00edctima es una cuenta administrativa, CSRF puede comprometer la aplicaci\u00f3n web al completo."}], "lastModified": "2024-11-21T04:08:35.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:beims:contractorweb.net:5.18.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02A56153-37CF-430E-94DC-7B4B5834E0D3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}