CVE-2018-7718 Information

Description

An issue was discovered in Telexy QPath 5.4.462. A low privileged authenticated user supplying a specially crafted serialized request to AdanitDataService.svc may modify user information including but not limited to email address username and password of other user accounts. The simplest attack approach is for the attacker to intercept their own password-change request and modify the username before the request reaches the server. Also changing a victim’s email address can have a similar account-takeover consequence.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Reference

https://www.dropbox.com/s/6tlee2uj3t3su8n/Telexy-QPath-CVE-2018-7718.pdf

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5