CVE-2018-8715

moderate-risk
Published 2018-03-15

The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.

Do I need to act?

!
92.3% chance of exploitation in next 30 days
EPSS score — higher than 8% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (1)

Appweb

Affected Vendors

Embedthis

References (6)

Exploit https://blogs.securiteam.com/index.php/archives/3676
Patch https://github.com/embedthis/appweb/issues/610
https://security.paloaltonetworks.com/CVE-2018-8715
Exploit https://blogs.securiteam.com/index.php/archives/3676
Patch https://github.com/embedthis/appweb/issues/610
https://security.paloaltonetworks.com/CVE-2018-8715
49
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal