CVE-2018-1000628

Published: Dec 28, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the direct checking of the API key against a user-supplied value in PHP's GET global variable array using PHP's strcmp() function. By adding "[]" to the end of "key" in the URL when accessing API functions, an attacker could exploit this vulnerability to execute API functions.

Affected (1)

Products: Battelle: V2i Hub

Battelle

1 product

V2i Hub

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Battelle V2i Hub	Version 2.5.1

References (2)

https://exchange.xforce.ibmcloud.com/vulnerabilities/147305

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://exchange.xforce.ibmcloud.com/vulnerabilities/147305

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.