CVE-2018-10498

EPSS 0.06%
Veröffentlicht 24.09.2018 23:29:00
Zuletzt bearbeitet 21.11.2024 03:41:26
Quelle zdi-disclosures@trendmicro.com
Teams Watchlist Login
Unerledigt Login

This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of Samsung Email Fixed in version 5.0.02.16. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of file:/// URIs. The issue lies in the lack of proper validation of user-supplied data, which can allow for reading arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges. Was ZDI-CAN-5329.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Samsung ≫ Samsung Email Version < 5.0.02.16

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.153

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-37 Path Traversal: '/absolute/pathname/here'

The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.

https://zerodayinitiative.com/advisories/ZDI-18-557

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2018-10498

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-10498

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-10498

EUVD