Main Vulnerability Database Vulnerabilities #VU13393

Cross-site request forgery in Micro Focus Universal Configuration Management Database Server - CVE-2018-6497

Published: June 19, 2018 / Updated: June 19, 2018

Vulnerability identifier: #VU13393

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-6497

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Micro Focus

Affected software:
Micro Focus Universal Configuration Management Database Server

Detailed vulnerability description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists in Micro Focus Universal Configuration Management Database (UCMDB) Server due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim into loading a specially crafted HTML page or URL, perform CSRF attack, take actions on the target system acting as the target authenticated user and conduct java object deserialization attacks.

How to mitigate CVE-2018-6497

Micro Focus has made the following mitigation information available to resolve the vulnerability for the impacted versions of UCMDB Server:

https://softwaresupport.softwaregrp.com/km/KM03180030?lang=en&cc=us&hpappid=206728_SSO_PRO

Sources

https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03180069

Cross-site request forgery in Micro Focus Universal Configuration Management Database Server - CVE-2018-6497

Detailed vulnerability description

How to mitigate CVE-2018-6497

Sources

Please verify you're human