CVE-2018-11044

MEDIUM

Pivotal Application Service 1.12.x-2.2.x - Authenticated Invitation Email Injection

Title source: llm
STIX 2.1

Description

Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email.

References (1)

Core 1
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2018-11044

Scores

CVSS v3 6.5
EPSS 0.0073
EPSS Percentile 49.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (1)
pivotal_software/pivotal_application_service 1.12.0 - 1.12.26
Published Jul 24, 2018
Tracked Since Feb 18, 2026