CVE-2018-17888

CRITICAL

NUUO CMS <3.1 - RCE

Title source: llm

Description

NUUO CMS all versions 3.1 and prior, The application uses a session identification mechanism that could allow attackers to obtain the active session ID, which could allow arbitrary remote code execution.

Exploits (1)

metasploit WORKING POC

by Pedro Ribeiro <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/nuuo_cms_bruteforce.rb

View Code ZIP pw:eip

References (2)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/105717

[Patch, Third Party Advisory, US Government Resource] https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02

Scores

CVSS v3 9.8

EPSS 0.4186

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-330

Status published

Products (1)

nuuo/nuuo_cms < 3.1

Published Oct 12, 2018

Tracked Since Feb 18, 2026