CVE-2018-0787

HIGH

Microsoft Asp.net Core < 2.0.2 - Password Reset Weakness

Title source: rule

Description

ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnerability due to how web applications that are created from templates validate web requests, aka "ASP.NET Core Elevation Of Privilege Vulnerability".

References (4)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1040525

[Technical Description, Third Party Advisory] https://github.com/aspnet/Announcements/issues/295

[Patch, Vendor Advisory] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0787

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/103282

Scores

CVSS v3 8.8

EPSS 0.1748

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-640

Status published

Products (5)

microsoft/asp.net_core 1.0

microsoft/asp.net_core 1.1

microsoft/asp.net_core 2.0

nuget/Microsoft.AspNetCore.HttpOverrides 2.0.0 - 2.0.2NuGet

nuget/Microsoft.AspNetCore.Server.Kestrel.Core 2.0.0 - 2.0.2NuGet

Published Mar 14, 2018

Tracked Since Feb 18, 2026