CVE-2018-1000628 Information

Description

Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions caused by the direct checking of the API key against a user-supplied value in PHP’s GET global variable array using PHP’s strcmp() function. By adding []\ to the end of \key\ in the URL when accessing API functions an attacker could exploit this vulnerability to execute API functions.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://exchange.xforce.ibmcloud.com/vulnerabilities/147305

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8