SB2018101203 - Multiple vulnerabilities in NUUO CMS

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018101203

SB2018101203 - Multiple vulnerabilities in NUUO CMS

Published: October 12, 2018

Security Bulletin ID SB2018101203
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Use of insufficiently random values (CVE-ID: CVE-2018-17888)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use of insufficiently random values by session identification mechanism. A remote unauthenticated attacker can obtain the active session ID and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Use of obsolete function (CVE-ID: CVE-2018-17890)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use of insecure and outdate software components for functionality. A remote unauthenticated attacker can execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Incorrect permission assignment for critical resource (CVE-ID: CVE-2018-17892)

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The vulnerability exists due to the application implements a method of user account control that causes standard account security features to not be utilized as intended. A remote attacker can execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Use of hardcoded credentials (CVE-ID: CVE-2018-17894)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to the application creates default accounts that have hard-coded passwords. A remote unauthenticated attacker can use these credentials to gain elevated privileges.


Remediation

Install update from vendor's website.

References