CVE-2018-16172

{"id": "CVE-2018-16172", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-01-09T23:29:03.420", "references": [{"url": "https://jvn.jp/en/jp/JVN23161885/index.html", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://kb.cybozu.support/article/35260/", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1021"}]}], "descriptions": [{"lang": "en", "value": "Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate."}, {"lang": "es", "value": "Se han descubierto contramedidas incorrectas contra ataques de secuestro de clics en la pantalla de gesti\u00f3n de certificados de cliente en Cybozu Remote Service, desde la versi\u00f3n 3.0.0 hasta la 3.1.8, que permite que los atacantes remotos enga\u00f1en a un usuario para que elimine el certificado de cliente registrado."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cybozu:remote_service_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D593FEE9-BEAA-4D1A-8EB4-5FAE1B3F3135", "versionEndIncluding": "3.1.8", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}