Important 2018-03 archive

Executive Summary

An elevation of privilege vulnerability exists when a Kestrel web application fails to validate web requests. An attacker who successfully exploited this vulnerability could perform HTML injection attacks. To exploit the vulnerability, an attacker could send a specially crafted request, containing injected HTML, to the web application. The specially crafted request would initiate a "password reset" email to the target user. Depending on the target user email client, the injected HTML could trigger as soon as the target user opens the "password reset" e-mail. The security update addresses the vulnerability by correcting how a Kestrel web application validates web requests.

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Elevation of Privilege
Released Mar 13 2018
Last Updated Mar 13 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

1 affected product
Product KB Article Severity Impact Restart Required
ASP.NET Core 2.0 Commit (Security Update) Important Elevation of Privilege Yes

Patches

1 patch
Article Type Restart
Commit Security Update Yes

Known Exploits

Acknowledgments