Ipecs Nms
CVE-2018-10285
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.
AnalysisAI
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication. Affected products include: Ericssonlg Ipecs Nms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that a
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and th
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. Rated high severity (CVSS
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today