CVE-2018-6014

{"id": "CVE-2018-6014", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2018-01-23T00:29:00.260", "references": [{"url": "https://www.vulnerability-lab.com/get_content.php?id=2115", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.youtube.com/watch?v=t3nYuhAHOMg", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.vulnerability-lab.com/get_content.php?id=2115", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.youtube.com/watch?v=t3nYuhAHOMg", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Subsonic v6.1.3 has an insecure allow-access-from domain=\"*\" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data."}, {"lang": "es", "value": "Subsonic v6.1.3 tiene una pol\u00edtica de dominio Flash cruzado allow-access-from domain=\"*\" inseguro que permite que un atacante recupere informaci\u00f3n sensible del usuario mediante una petici\u00f3n read. Para explotar este problema, un atacante debe convencer al usuario para que visite un sitio web cargado con un archivo SWF creado espec\u00edficamente para robar datos de usuario."}], "lastModified": "2024-11-21T04:09:53.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:subsonic:subsonic:6.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3413AAD-9874-4AA0-9EA5-B78559341420"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}