Main Vulnerability Database SB2018083014

SB2018083014 - OS Command Injection in foxmail.com.cn Foxmail

Published: August 30, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018083014

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) OS Command Injection (CVE-ID: CVE-2018-11616)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Tencent Foxmail 7.2.9.115. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5543.

Remediation

Install update from vendor's website.

References

https://zerodayinitiative.com/advisories/ZDI-18-584