PT-2018-10798 · Nec · Nec Univerge Sv9100 Webpro

Hyp3Rlinx

Published

2018-12-26

Updated

2021-09-13

CVE-2018-11741

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions NEC Univerge Sv9100 WebPro version 6.00.00

Description The issue concerns Predictable Session IDs, which can lead to Account Information Disclosure. This occurs via specific URIs, such as 'Home.htm?sessionId=#####&GOTO(8)'.

Recommendations For NEC Univerge Sv9100 WebPro version 6.00.00, consider restricting access to the 'Home.htm' endpoint until a fix is available, and avoid using predictable session IDs to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2018-11741

Affected Products

Nec Univerge Sv9100 Webpro

PT-2018-10798 · Nec · Nec Univerge Sv9100 Webpro

CVE-2018-11741

Weakness Enumeration

Related Identifiers

Affected Products

References · 7