CVE-2018-1000854
Remote Code Execution in esigate-core
9.8
CRITICAL
CVSS 3.1
EPSS 2.5%
描述
esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3.
如何修補 CVE-2018-1000854
要修補 CVE-2018-1000854,請將受影響套件升級到下列已修補版本。
- —升級至 5.3 或更新版本
CVE-2018-1000854 正在被利用嗎?
低 — EPSS 為 2.5%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 5.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |