Exploitation Summary
CVE-2018-8715 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.
Nuclei Templates (1)
AppWeb - Authentication Bypass
HIGHby milo2012
Shodan:
cpe:"cpe:2.3:a:embedthis:appweb"
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/embedthis/appweb/issues/610
Exploit, Third Party Advisory x_refsource_misc
https://blogs.securiteam.com/index.php/archives/3676
Various Sources x_refsource_confirm
https://security.paloaltonetworks.com/CVE-2018-8715
Scores
CVSS v3
8.1
EPSS
0.1985
EPSS Percentile
97.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
embedthis/appweb
< 7.0.2
Published
Mar 15, 2018
Tracked Since
Feb 18, 2026