Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | N/A |
CWE-ID | CWE-264 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
ASP.NET Core MVC Universal components / Libraries / Software for developers |
Vendor | Microsoft |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU653
Risk: Medium
CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:C/I:C/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to obtain elevated privileges.
The vulnerability exists due to design error in View Component implementation within public versions of ASP.NET Core MVC 1.0.0. A malicious user can gain access to potentially sensitive information on the system and obtain elevated privileges on the system.
Successful exploitation of this vulnerability will allow an attacker to obtain elevated privileges on vulnerable system.
The following packages are vulnerable:
Update ASP.NET Core MVC to 1.0.1.
Microsoft .NET Core 1.0.1 – VS 2015 Tooling Preview 2" updates the ASP.NET Core templates to use the fixed packages.
To download this preview, see the "Tools" section of the .NET Downloads page.
ASP.NET Core MVC: 1.0.0
External linkshttp://technet.microsoft.com/en-us/library/security/3181759.aspx
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.