cbcvebase.
CVE-2018-8715
published 2018-03-15

CVE-2018-8715: The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP…

PriorityP266high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
19.85%
97.1th percentile
The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.

Affected

2 ranges
VendorProductVersion rangeFixed in
embedthisappweb<= 7.0.2
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

commandAuthorization: Digest username=admin
  • Send a GET request to the target root path with a forged Authorization header containing only 'Digest username=admin' (no password/hash). A 200 OK response with a non-empty body indicates successful authentication bypass.
  • The vulnerability is triggered by a forged HTTP request targeting the authCondition function; affects form and digest login types in Appweb before 7.0.3.
  • ·The Nuclei template targets the root path '/' with a single GET request; detection relies on HTTP 200 status AND a non-empty body (space character match), which may produce false positives on unauthenticated pages.
  • ·PAN-OS impact is described as denial of service only (NULL dereference crash of management service), NOT authentication bypass — the CVE manifests differently on PAN-OS vs. native Appweb deployments.
  • ·Global Protect is explicitly NOT affected by this CVE on PAN-OS platforms.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.