SB2018021502 - Multiple vulnerabilities in Typesetter CMS
Published: February 15, 2018
Security Bulletin ID
SB2018021502
Severity
Low
Patch available
NO
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Header injection (CVE-ID: CVE-2018-6889)
The vulnerability allows a remote attacker to perform HTTP header injection attack or even trigger arbitrary user re-direction on the target system.The vulnerability is caused by improper validation of input. A remote attacker can inject arbitrary HTTP headers and conduct various attacks, including cross-site scripting, cache poisoning or session hijacking.
2) Cross-site request forgery (CVE-ID: CVE-2018-6888)
The vulnerability allows a remote attacker to perform CSRF attack.The weakness exists due to improper validation of user-supplied input by the User Permissions page. A remote attacker can create a specially crafted HTTP request, trick the victim into visiting it, create, delete or modify a user account and perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.