CVE-2018-6563

{"id": "CVE-2018-6563", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2018-06-20T14:29:00.320", "references": [{"url": "http://packetstormsecurity.com/files/147648/Totemomail-Encryption-Gateway-6.0.0_Build_371-Cross-Site-Request-Forgery.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/542015/100/0/threaded", "source": "cve@mitre.org"}, {"url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-003_totemo_csrf.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/44631/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti-CSRF token."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de Cross-Site Request Forgery (CSRF) en totemomail Encryption Gateway en versiones anteriores a la 6.0.0_Build_371 permiten que atacantes remotos secuestren la autenticaci\u00f3n de los usuarios para las peticiones que (1) cambian las opciones de usuario, (2) envi\u00e1n emails o (3) cambian la informaci\u00f3n de contacto aprovechando la falta de un token anti-CSRF."}], "lastModified": "2018-10-09T20:01:53.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:totemo:encryption_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F66B1FF-714F-42D4-9794-6E89E09A36CB", "versionEndIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}