Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-11044

Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email.

Published

2018-07-24T19:29:00.240

Last Modified

2024-11-21T03:42:33.310

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pivotal_software	pivotal_application_service	< 1.12.26	Yes
Application	pivotal_software	pivotal_application_service	< 2.0.17	Yes
Application	pivotal_software	pivotal_application_service	< 2.1.8	Yes
Application	pivotal_software	pivotal_application_service	< 2.2.1	Yes

References

https://pivotal.io/security/cve-2018-11044 Mitigation, Vendor Advisory ([email protected])
https://pivotal.io/security/cve-2018-11044 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)