Attacker Value
Unknown
CVE-2018-11039
CVE-2018-11039
(Last updated November 26, 2024) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None
General Information
Products
- agile plm 9.3.3
- agile plm 9.3.4
- agile plm 9.3.5
- agile plm 9.3.6
- application testing suite 12.5.0.3
- application testing suite 13.1.0.1
- application testing suite 13.2.0.1
- application testing suite 13.3.0.1
- communications diameter signaling router
- communications network integrity
- communications online mediation controller 6.1
- communications performance intelligence center
- communications services gatekeeper
- communications unified inventory management 7.3.2
- communications unified inventory management 7.3.4
- communications unified inventory management 7.3.5
- communications unified inventory management 7.4.0
- debian linux 9.0
- endeca information discovery integrator 3.1.0
- endeca information discovery integrator 3.2.0
- enterprise manager base platform 12.1.0.5.0
- enterprise manager base platform 13.2.0.0.0
- enterprise manager base platform 13.3.0.0.0
- enterprise manager for mysql database 13.2
- enterprise manager ops center 12.3.3
- health sciences information manager 3.0
- healthcare master person index 3.0
- healthcare master person index 4.0
- hospitality guest access 4.2.0
- hospitality guest access 4.2.1
- insurance calculation engine
- insurance calculation engine 10.2
- insurance rules palette 10.0
- insurance rules palette 10.2
- micros lucas 2.9.5
- mysql enterprise monitor
- primavera p6 enterprise project portfolio management 18.8
- retail advanced inventory planning 15.0
- retail assortment planning 14.1
- retail assortment planning 15.0
- retail assortment planning 16.0
- retail clearance optimization engine 14.0.5
- retail customer insights 15.0
- retail customer insights 16.0
- retail financial integration 13.2
- retail financial integration 14.0
- retail financial integration 14.1
- retail financial integration 15.0
- retail financial integration 16.0
- retail integration bus 14.1.2
- retail markdown optimization 13.4.4
- retail predictive application server 14.0.3.26
- retail predictive application server 14.1.3.37
- retail predictive application server 15.0.3..100
- retail predictive application server 16.0
- retail xstore point of service 7.1
- spring framework
- utilities network management system 1.12.0.3
- weblogic server 10.3.6.0.0
- weblogic server 12.1.3.0.0
- weblogic server 12.2.1.3.0
References
Advisory
Miscellaneous
