nvd-json-data-feeds/CVE-2018/CVE-2018-189xx/CVE-2018-18930.json

{
  "id": "CVE-2018-18930",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2019-10-29T20:15:10.803",
  "lastModified": "2019-11-05T18:01:50.623",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "The Tightrope Media Carousel digital signage product 7.0.4.104 contains an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. An authenticated attacker can upload a crafted ZIP file (based on an exported backup of existing \"Bulletins\") containing a malicious file. When uploaded, the system only checks for the presence of the needed files within the ZIP and, as long as the malicious file is named properly, will extract all contained files to a new directory on the system, named with a random GUID. The attacker can determine this GUID by previewing an image from the uploaded Bulletin within the web UI. Once the GUID is determined, the attacker can navigate to the malicious file and execute it. In testing, an ASPX web shell was uploaded, allowing for remote-code execution in the context of a restricted IIS user."
    },
    {
      "lang": "es",
      "value": "El producto de se\u00f1alizaci\u00f3n digital Tightrope Media Carousel versi\u00f3n 7.0.4.104, contiene una vulnerabilidad de carga de archivos arbitraria en la funcionalidad Manage Bulletins/Upload, que puede ser aprovechada para conseguir la ejecuci\u00f3n de c\u00f3digo remota. Un atacante autenticado puede cargar un archivo ZIP dise\u00f1ado (basado en una copia de seguridad exportada de \"Bulletins\" existentes) que contiene un archivo malicioso. Cuando es cargada, el sistema solo comprueba la presencia de los archivos necesarios dentro del ZIP y, siempre que el archivo malicioso tenga un nombre apropiado, extraer\u00e1 todos los archivos contenidos en un nuevo directorio en el sistema, nombrado con un GUID aleatorio. El atacante puede determinar este GUID mediante la previsualizaci\u00f3n de una imagen del Bolet\u00edn cargado dentro de la interfaz de usuario web. Una vez que el GUID es determinado, el atacante puede navegar en el archivo malicioso y ejecutarlo. En las pruebas, un shell web ASPX fue cargado, lo que permite la ejecuci\u00f3n de c\u00f3digo remota en el contexto de un usuario IIS restringido."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "SINGLE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:trms:carousel_digital_signage:*:*:*:*:*:*:*:*",
              "versionEndIncluding": "7.0.4.104",
              "matchCriteriaId": "F395E7E9-1DEB-4F95-B773-BFC89E9B7341"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://www.drewgreen.net/vulnerabilities-in-tightrope-media-systems-carousel/",
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}