Vulnerability Details : CVE-2018-11652
Potential exploit
CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.
Products affected by CVE-2018-11652
- cpe:2.3:a:cirt.net:nikto:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11652
20.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11652
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-11652
-
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11652
-
https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7
Fix CSV injection issue if server responds with a malicious Server st… · sullo/nikto@e759b33 · GitHubPatch;Third Party Advisory
-
https://www.exploit-db.com/exploits/44899/
Nikto 2.1.6 - CSV InjectionExploit;Third Party Advisory;VDB Entry
Jump to