CVE-2018-16987

HIGH

Squash TM <1.18.0 - Info Disclosure

Title source: llm

Description

Squash TM through 1.18.0 presents the cleartext passwords of external services in the administration panel, as demonstrated by a ta-server-password field in the HTML source code.

Exploits (1)

nomisec WRITEUP 1 stars

by gquere · poc

https://github.com/gquere/CVE-2018-16987

View Code ZIP pw:eip

References (2)

[Permissions Required, Vendor Advisory] https://ci.squashtest.org/mantis/view.php?id=7553

[Exploit, Mailing List, Third Party Advisory] https://www.openwall.com/lists/oss-security/2018/09/13/1

Scores

CVSS v3 7.2

EPSS 0.0080

EPSS Percentile 73.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (1)

squashtest/squash_tm < 1.18.0

Timeline

Published Sep 13, 2018

Tracked Since Feb 18, 2026