CVE-2018-11044

Published: Jul 24, 2018Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email.

Affected (4)

Products: Pivotal Software: Pivotal Application Service

Pivotal Software

1 product

Pivotal Application Service

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Pivotal Software Pivotal Application Service	From 1.12.0 to 1.12.26
Pivotal Software Pivotal Application Service	From 2.0.0 to 2.0.17
Pivotal Software Pivotal Application Service	From 2.1.0 to 2.1.8
Pivotal Software Pivotal Application Service	From 2.2.0 to 2.2.1

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://pivotal.io/security/cve-2018-11044

Source: security_alert@emc.com

MitigationVendor Advisory

https://pivotal.io/security/cve-2018-11044

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.