Important 2018-01 archive

Executive Summary

An elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests. An attacker who successfully exploited this vulnerability could perform content injection attacks and run script in the security context of the logged-on user. To exploit the vulnerability, an attacker could send a specially crafted email, containing a malicious link, to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking the malicious link. However, in all cases to exploit this vulnerability a user must click a maliciously crafted link from an attacker. The security update addresses the vulnerability by correcting the ASP.NET Core project templates.

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Elevation of Privilege
Released Jan 9 2018
Last Updated Jan 9 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

1 affected product
Product KB Article Severity Impact Restart Required
ASP.NET Core 2.0 Commit (Security Update) Important Elevation of Privilege Yes

Patches

1 patch
Article Type Restart
Commit Security Update Yes

Known Exploits

Acknowledgments