Details of VAR-201806-1766

ID

VAR-201806-1766

CVE

CVE-2018-6563

TITLE

totemomail Encryption Gateway Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2018-006561

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti-CSRF token. totemomail Encryption Gateway Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. totemomail Encryption Gateway is a gateway for email encryption

Trust: 1.71

sources: NVD: CVE-2018-6563 // JVNDB: JVNDB-2018-006561 // VULHUB: VHN-136595

AFFECTED PRODUCTS

vendor:	totemo	model:	encryption gateway	scope:	lte	version:	6.0.0	Trust: 1.0
vendor:	totemo	model:	totemomail encryption gateway	scope:	lt	version:	6.0.0_build_371	Trust: 0.8
vendor:	totemo	model:	encryption gateway	scope:	eq	version:	6.0.0	Trust: 0.6

sources: JVNDB: JVNDB-2018-006561 // CNNVD: CNNVD-201806-1069 // NVD: CVE-2018-6563

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-6563
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-6563
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201806-1069
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-136595
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-6563
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-136595
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-6563
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-136595 // JVNDB: JVNDB-2018-006561 // CNNVD: CNNVD-201806-1069 // NVD: CVE-2018-6563

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-136595 // JVNDB: JVNDB-2018-006561 // NVD: CVE-2018-6563

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-1069

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201806-1069

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006561

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-136595

PATCH

title:	totemomail	url:	https://www.totemo.com/en/solutions/email-encryption	Trust: 0.8
title:	totemomail Encryption Gateway Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81128	Trust: 0.6

sources: JVNDB: JVNDB-2018-006561 // CNNVD: CNNVD-201806-1069

EXTERNAL IDS

db:	NVD	id:	CVE-2018-6563	Trust: 2.5
db:	PACKETSTORM	id:	147648	Trust: 1.7
db:	EXPLOIT-DB	id:	44631	Trust: 1.1
db:	JVNDB	id:	JVNDB-2018-006561	Trust: 0.8
db:	CNNVD	id:	CNNVD-201806-1069	Trust: 0.7
db:	VULHUB	id:	VHN-136595	Trust: 0.1

sources: VULHUB: VHN-136595 // JVNDB: JVNDB-2018-006561 // CNNVD: CNNVD-201806-1069 // NVD: CVE-2018-6563

REFERENCES

url:	https://www.compass-security.com/fileadmin/datein/research/advisories/csnc-2018-003_totemo_csrf.txt	Trust: 2.5
url:	http://packetstormsecurity.com/files/147648/totemomail-encryption-gateway-6.0.0_build_371-cross-site-request-forgery.html	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/542015/100/0/threaded	Trust: 1.1
url:	https://www.exploit-db.com/exploits/44631/	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-6563	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-6563	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/542015/100/0/threaded	Trust: 0.6

sources: VULHUB: VHN-136595 // JVNDB: JVNDB-2018-006561 // CNNVD: CNNVD-201806-1069 // NVD: CVE-2018-6563

SOURCES

db:	VULHUB	id:	VHN-136595
db:	JVNDB	id:	JVNDB-2018-006561
db:	CNNVD	id:	CNNVD-201806-1069
db:	NVD	id:	CVE-2018-6563

LAST UPDATE DATE

2024-11-23T23:02:07.908000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-136595	date:	2018-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-006561	date:	2018-08-24T00:00:00
db:	CNNVD	id:	CNNVD-201806-1069	date:	2018-06-21T00:00:00
db:	NVD	id:	CVE-2018-6563	date:	2024-11-21T04:10:54.967

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-136595	date:	2018-06-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-006561	date:	2018-08-24T00:00:00
db:	CNNVD	id:	CNNVD-201806-1069	date:	2018-06-21T00:00:00
db:	NVD	id:	CVE-2018-6563	date:	2018-06-20T14:29:00.320