CVE-2018-2636

high-risk

Published 2018-01-18

Vulnerability in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (subcomponent: Security). Supported versions that are affected are 2.7, 2.8 and 2.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Simphony. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Simphony. CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Do I need to act?

65.9% chance of exploitation in next 30 days

EPSS score — higher than 34% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

43960

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (3)

Hospitality Simphony

Affected Vendors

Oracle

References (12)

Patch http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Third Party Advisory http://www.securityfocus.com/bid/102560

https://erpscan.io/advisories/erpscan-18-002-oracle-micros-pos-missing-authorisa...

https://erpscan.io/press-center/blog/oracle-micros-pos-breached/

https://github.com/erpscanteam/CVE-2018-2636

https://www.exploit-db.com/exploits/43960/

Patch http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Third Party Advisory http://www.securityfocus.com/bid/102560

https://erpscan.io/advisories/erpscan-18-002-oracle-micros-pos-missing-authorisa...

https://erpscan.io/press-center/blog/oracle-micros-pos-breached/

https://github.com/erpscanteam/CVE-2018-2636

https://www.exploit-db.com/exploits/43960/

/ 100

high-risk

Severity 24/34 · High

Exploitability 26/34 · High

Exposure 9/34 · Low