CVE-2018-19234

HIGH

COMPAREX Miss Marple Enterprise <2.0 - RCE

Title source: llm

Description

The Miss Marple Updater Service in COMPAREX Miss Marple Enterprise Edition before 2.0 allows remote attackers to execute arbitrary code with SYSTEM privileges via vectors related to missing update validation.

References (4)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/150427/Miss-Marple-Enterprise-Edition-File-Upload-Hardcoded-AES-Key.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2018/Nov/55

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2018/Nov/37

[Third Party Advisory] https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-miss-marple-enterprise-edition/

Scores

CVSS v3 8.8

EPSS 0.0459

EPSS Percentile 89.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-494

Status published

Products (1)

comparex/miss_marple < 2.0

Published Dec 20, 2018

Tracked Since Feb 18, 2026