An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).
Published 2018-06-29 16:29:00
Updated 2019-10-09 23:33:59
Source SUSE
View at NVD,   CVE.org
Vulnerability category: Execute code

Products affected by CVE-2018-12465

Exploit prediction scoring system (EPSS) score for CVE-2018-12465

4.14%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2018-12465

  • MicroFocus Secure Messaging Gateway Remote Code Execution
    Disclosure Date: 2018-06-19
    First seen: 2020-04-26
    exploit/linux/http/microfocus_secure_messaging_gateway
    This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the appl

CVSS scores for CVE-2018-12465

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.0
HIGH AV:N/AC:L/Au:S/C:C/I:C/A:C
8.0
10.0
NIST
9.1
CRITICAL CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
2.3
6.0
SUSE
7.2
HIGH CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1.2
5.9
NIST

CWE ids for CVE-2018-12465

References for CVE-2018-12465

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!