CVE-2018-12571

CRITICAL

Microsoft Forefront Unified Access Gateway 2010 - SSRF

Title source: llm

Description

uniquesig0/InternalSite/InitParams.aspx in Microsoft Forefront Unified Access Gateway 2010 allows remote attackers to trigger outbound DNS queries for arbitrary hosts via a comma-separated list of URLs in the orig_url parameter, possibly causing a traffic amplification and/or SSRF outcome.

References (4)

Core 4

Core References

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Jul/2

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1041212

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/148389/Microsoft-Forefront-Unified-Access-Gateway-2010-External-DNS-Interaction.html

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Jul/7

Scores

CVSS v3 9.8

EPSS 0.3027

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-918

Status published

Products (1)

microsoft/forefront_unified_access_gateway 2010

Published Jul 05, 2018

Tracked Since Feb 18, 2026