CVE-2018-12464 | A SQL injection vulnerability in the web administration and … | CVSS 10.0 CRITICAL

Description

A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).

Metadata

CVE ID: CVE-2018-12464
State: PUBLISHED
Assigner: microfocus
Reserved: 2018-06-15 00:00 UTC
Published: 2018-06-29 16:00 UTC
Last updated: 2024-09-17 01:55 UTC
Primary CWE: CWE-89
Unauthenticated SQL injection (CWE-89)
Vendor / Product: Micro Focus / Secure Messaging Gateway
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.0

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Micro Focus	Secure Messaging Gateway	—	unspecified < 471

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	Unauthenticated SQL injection (CWE-89)

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (3)