CVE-2018-11044 — Improper Input Validation in Application Service

CWE-20 — Improper Input Validation3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 53.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Application Service Pivotal Software Pivotal Application Service

Timeline

PublishedJul 24

Latest updateMay 14

Description

Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5pivotal/pivotal_application_service2.2.x — 2.2.1+3

▶NVDpivotal_software/pivotal_application_service1.12.0 — 1.12.26+3

🔴Vulnerability Details

GHSA

GHSA-gg63-f8cx-66q8: Pivotal Apps Manager included in Pivotal Application Service, versions 2↗2022-05-14

▶

CVEList

CVE-2018-11044: Pivotal Apps Manager included in Pivotal Application Service, versions 2↗2018-07-24

▶