Deserialization of untrusted data in VT-Designer - CVE-2018-18987
Published: November 29, 2018 / Updated: November 30, 2018
Vulnerability identifier: #VU16181
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-18987
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: INVT Electric
Affected software:
VT-Designer
VT-Designer
Detailed vulnerability description
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to the program populates objects with user supplied input via a file without first checking for validity. A remote unauthenticated attacker can supply specially crafted input to be written to known memory locations and cause the program crash or execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2018-18987
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.