ByteOS Network

NVD Vulnerability Details :

CVE-2018-12464

Modified

Source-security@opentext.com

Published At-29 Jun, 2018 | 16:29

Updated At-07 Nov, 2023 | 02:52

A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary	3.0	10.0	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary	2.0	7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P

CPE Matches

Micro Focus International Limited

>>secure_messaging_gateway>>Versions before 471(exclusive)

cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-89	Primary	nvd@nist.gov
CWE-89	Secondary	security@opentext.com

References

Hyperlink	Source	Resource
https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/	security@opentext.com	N/A
https://support.microfocus.com/kb/doc.php?id=7023132	security@opentext.com	N/A
https://www.exploit-db.com/exploits/45083/	security@opentext.com	N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History