cbcvebase.
CVE-2018-6460
published 2018-01-31

CVE-2018-6460: Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including…

PriorityP260high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.18%
95.4th percentile
Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.

Detection & IOCsextracted from sources · hover to see the quote

ip127.0.0.1
port895
urlhttp://127.0.0.1:895/status.js?func=$_APPLOG.Rfunc
path/status.js
commandfunc=$_APPLOG.Rfunc
  • Monitor for HTTP requests to localhost port 895 targeting /status.js, particularly those containing the JSONP callback parameter 'func=$_APPLOG.Rfunc', which is the exploitation payload for this information disclosure vulnerability.
  • Detect browser-side exploitation attempts via JavaScript that dynamically inject a <script> tag with src pointing to http://127.0.0.1:895/status.js — indicative of a cross-origin JSONP data exfiltration attack against Hotspot Shield.
  • ·The vulnerable endpoint is only reachable via localhost (127.0.0.1:895), meaning exploitation requires the attacker to deliver malicious JavaScript to the victim's browser (e.g., via a malicious webpage), rather than direct remote network access.
  • ·The attack leverages JSONP (unauthenticated, no CORS restriction) to exfiltrate data; detection on the network layer alone may be insufficient since the request originates from the local browser.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.