CVE-2018-20402 Information

Description

Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames which are guest user and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://docs.safe.com/fme/html/FME_Server_Documentation/Content/AdminGuide/Default_User_Accounts_and_Passwords.htm

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8