CVE-2019-18641
CRITICALRock RMS < 1.8.6 - Unauthenticated Information Disclosure via People/GetVCard/REST Controller
Title source: llmDescription
Rock RMS before 1.8.6 mishandles vCard access control within the People/GetVCard/REST controller.
References (4)
Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/SparkDevNetwork/Rock/compare/1.7.6...1.8.6
Patch, Third Party Advisory x_refsource_confirm
https://github.com/SparkDevNetwork/Rock/commit/576f5ec22b1c43f123a377612981c68538167c61
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Jan/1
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/160766/Rock-RMS-File-Upload-Account-Takeover-Information-Disclosure.html
Scores
CVSS v3
9.8
EPSS
0.0335
EPSS Percentile
87.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
sparkdevnetwork/rock_rms
< 1.8.6
Published
Mar 20, 2020
Tracked Since
Feb 18, 2026