Vulnerability Details : CVE-2019-18641
Rock RMS before 1.8.6 mishandles vCard access control within the People/GetVCard/REST controller.
Products affected by CVE-2019-18641
- cpe:2.3:a:sparkdevnetwork:rock_rms:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-18641
1.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-18641
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2019-18641
-
https://github.com/SparkDevNetwork/Rock/compare/1.7.6...1.8.6
Comparing 1.7.6...1.8.6 · SparkDevNetwork/Rock · GitHubRelease Notes;Third Party Advisory
-
https://github.com/SparkDevNetwork/Rock/commit/576f5ec22b1c43f123a377612981c68538167c61
+ Changed vCard to be secured by adjustments to the People/GetVCard/ … · SparkDevNetwork/Rock@576f5ec · GitHubPatch;Third Party Advisory
-
http://seclists.org/fulldisclosure/2021/Jan/1
Full Disclosure: Multiple vulnerabilities found in Rock RMS including RCE and account takeoverMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/160766/Rock-RMS-File-Upload-Account-Takeover-Information-Disclosure.html
Rock RMS File Upload / Account Takeover / Information Disclosure ≈ Packet StormThird Party Advisory;VDB Entry
Jump to