Lucene search

MitreCVE-2018-19798

HistoryMar 02, 2020 - 9:15 p.m.

CVE-2018-19798

2020-03-0221:15:11

CWE-434

mitre

web.nvd.nist.gov

cve-2018-19798

fleetco fleet maintenance management

fmm 1.2

remote command execution

file upload

nvd

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.007

Percentile

80.9%

JSON

Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary “.php” file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads to remote command execution on the remote server. Any authenticated user can exploit this.

Affected configurations

Nvd

Node

fleetcofleet_maintenance_managementRange≤1.2

VendorProductVersionCPE
fleetcofleet_maintenance_management*cpe:2.3:a:fleetco:fleet_maintenance_management:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fleetco	fleet_maintenance_management	*	cpe:2.3:a:fleetco:fleet_maintenance_management::::::::

References

exploit-db.com/exploits/45927

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.007

Percentile

80.9%

JSON

Related for CVE-2018-19798