CVE-2018-11044
MEDIUMPivotal Application Service 1.12.x-2.2.x - Authenticated Invitation Email Injection
Title source: llmDescription
Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content into an invite to another user, exploiting the trust implied by the source of the email.
References (1)
Core 1
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2018-11044
Scores
CVSS v3
6.5
EPSS
0.0073
EPSS Percentile
49.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (1)
pivotal_software/pivotal_application_service
1.12.0 - 1.12.26
Published
Jul 24, 2018
Tracked Since
Feb 18, 2026