Vulnerability Details : CVE-2018-10795
Potential exploit
Liferay 6.2.x and before has an FCKeditor configuration that allows an attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment via a browser/liferay/browser.html?Type= or html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html URI. NOTE: the vendor disputes this issue because file upload is an expected feature, subject to Role Based Access Control checks where only authenticated users with proper permissions can upload files
Products affected by CVE-2018-10795
- cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
Threat overview for CVE-2018-10795
Top countries where our scanners detected CVE-2018-10795
Top open port discovered on systems with this issue
80
IPs affected by CVE-2018-10795 467
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-10795!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-10795
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-10795
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-10795
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-10795
-
https://cxsecurity.com/issue/WLB-2018050029
LifeRay (Fckeditor) Arbitrary File Upload Vulnerability - CXSecurity.comExploit;Third Party Advisory
Jump to