CVE-2018-11044
Summary
| CVE | CVE-2018-11044 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-07-24 19:29:00 UTC |
| Updated | 2018-10-01 13:14:00 UTC |
| Description | Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Pivotal Software | Pivotal Application Service | All | All | All | All |
| Application | Pivotal Software | Pivotal Application Service | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2018-11044: Apps Manager allows unescaped content in invitation emails | Security | VMware Tanzu | CONFIRM | pivotal.io | Mitigation, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.