Moderate 2018-01 archive

Executive Summary

A Cross Site Request Forgery (CSRF) vulnerability exists when a ASP.NET Core web application is created using vulnerable project templates. An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim's user account without his/her consent. As a result, a victim of this attack may be permanently locked out of his/her account after loosing access to his/her 2FA device, as the initial recovery codes would be no longer valid. The update corrects the ASP.NET Core project templates.

Overview

Moderate
MS Severity
Not Exploited
MS Exploit Status
Exploitation Unlikely
MS Exploit Likelihood
Category Tampering
Released Jan 9 2018
Last Updated Jan 9 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

1 affected product
Product KB Article Severity Impact Restart Required
ASP.NET Core 2.0 Commit (Security Update) Moderate Tampering Yes

Patches

1 patch
Article Type Restart
Commit Security Update Yes

Known Exploits

Acknowledgments