Skip to main content

Robotic Process Automation With Automation Anywhere CVE-2018-1552

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2018-11-02 psirt@us.ibm.com
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 02, 2018 - 15:29 nvd
HIGH 8.8

DescriptionNVD

IBM Robotic Process Automation with Automation Anywhere 10.0 and 11.0 allows a remote attacker to execute arbitrary code on the system, caused by a missing restriction in which file types can be uploaded to the control room. By uploading a malicious file and tricking a victim to run it, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 142889.

AnalysisAI

IBM Robotic Process Automation with Automation Anywhere 10.0 and 11.0 allows a remote attacker to execute arbitrary code on the system, caused by a missing restriction in which file types can be. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. IBM Robotic Process Automation with Automation Anywhere 10.0 and 11.0 allows a remote attacker to execute arbitrary code on the system, caused by a missing restriction in which file types can be uploaded to the control room. By uploading a malicious file and tricking a victim to run it, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 142889. Affected products include: Ibm Robotic Process Automation With Automation Anywhere.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2019-4336 CRITICAL
9.8 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 uses an inadequate account lockout setting that could allow a

CVE-2018-1514 HIGH
8.8 Jun 07

IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could all

CVE-2018-1877 HIGH
7.8 Nov 02

IBM Robotic Process Automation with Automation Anywhere 11 could store highly sensitive information in the form of unenc

CVE-2018-1547 HIGH
7.7 Jun 07

IBM Robotic Process Automation with Automation Anywhere 10.0 could allow a remote attacker to execute arbitrary code on

CVE-2019-4298 HIGH
7.1 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 uses a high privileged PostgreSQL account for database access

CVE-2018-1795 MEDIUM
6.1 Oct 05

IBM Robotic Process Automation with Automation Anywhere Enterprise 10 is vulnerable to cross-site scripting. Rated mediu

CVE-2019-4299 MEDIUM
5.5 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 could allow a local user to obtain highly sensitive informati

CVE-2018-1876 MEDIUM
5.5 Nov 02

IBM Robotic Process Automation with Automation Anywhere 11 could under certain cases, display the password in a Control

CVE-2017-1751 MEDIUM
5.4 Dec 20

IBM Robotic Process Automation with Automation Anywhere 10.0.0 is vulnerable to cross-site scripting. Rated medium sever

CVE-2019-4297 MEDIUM
5.4 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote authenticated attacker to conduct an LDA

CVE-2018-1812 MEDIUM
5.4 Oct 05

IBM Robotic Process Automation with Automation Anywhere Enterprise 10 is vulnerable to persistent cross-site scripting,

CVE-2019-4337 MEDIUM
5.3 Jul 01

IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker to obtain sensitive information due t

Share

CVE-2018-1552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy