CVE-2018-1251 - OpenCVE

Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains a URL Redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect Unity users to arbitrary web URLs by tricking the victim user to click on a maliciously crafted Unisphere URL. Attacker could potentially phish information, including Unisphere users' credentials, from the victim once they are redirected.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Emc Unity Emc Unity Firmware Emc Unityvsa

Configuration 1 [-]

AND

cpe:2.3:o:dell:emc_unity_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_unity:-:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:dell:emc_unityvsa:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://seclists.org/fulldisclosure/2018/Sep/30

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-09-28T18:00:00Z

Updated: 2024-09-16T18:03:36.680Z

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1251

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-09-28T18:29:01.083

Modified: 2019-10-09T23:38:17.320

Link: CVE-2018-1251

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Dell EMC Unity", "vendor": "Dell EMC", "versions": [{"lessThan": "4.3.1.1525703027", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Dell EMC UnityVSA", "vendor": "Dell EMC", "versions": [{"lessThan": "4.3.1.1525703027", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2018-09-18T00:00:00", "descriptions": [{"lang": "en", "value": "Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains a URL Redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect Unity users to arbitrary web URLs by tricking the victim user to click on a maliciously crafted Unisphere URL. Attacker could potentially phish information, including Unisphere users' credentials, from the victim once they are redirected."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "URL Redirection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-09-28T17:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "20180918 DSA-2018-101: Dell EMC Unity Family Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "https://seclists.org/fulldisclosure/2018/Sep/30"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-09-18T04:00:00.000Z", "ID": "CVE-2018-1251", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Dell EMC Unity", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "4.3.1.1525703027"}]}}, {"product_name": "Dell EMC UnityVSA", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "4.3.1.1525703027"}]}}]}, "vendor_name": "Dell EMC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains a URL Redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect Unity users to arbitrary web URLs by tricking the victim user to click on a maliciously crafted Unisphere URL. Attacker could potentially phish information, including Unisphere users' credentials, from the victim once they are redirected."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "URL Redirection"}]}]}, "references": {"reference_data": [{"name": "20180918 DSA-2018-101: Dell EMC Unity Family Multiple Vulnerabilities", "refsource": "FULLDISC", "url": "https://seclists.org/fulldisclosure/2018/Sep/30"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:49.174Z"}, "title": "CVE Program Container", "references": [{"name": "20180918 DSA-2018-101: Dell EMC Unity Family Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "https://seclists.org/fulldisclosure/2018/Sep/30"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1251", "datePublished": "2018-09-28T18:00:00Z", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-09-16T18:03:36.680Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:emc_unity_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE80D21A-B8AA-4429-9FE7-01522F9595A5", "versionEndExcluding": "4.3.1.1525703027", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dell:emc_unity:-:*:*:*:*:*:*:*", "matchCriteriaId": "08D30CDA-12CB-4071-94EC-6186ED329072", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:emc_unityvsa:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCAA53DD-EEFF-440F-9979-09B8521FDB64", "versionEndExcluding": "4.3.1.1525703027", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains a URL Redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect Unity users to arbitrary web URLs by tricking the victim user to click on a maliciously crafted Unisphere URL. Attacker could potentially phish information, including Unisphere users' credentials, from the victim once they are redirected."}, {"lang": "es", "value": "Dell EMC Unity y UnityVSA en versiones anteriores a la 4.3.1.1525703027 contiene una vulnerabilidad de redirecci\u00f3n de URL. Un atacante remoto no autenticado podr\u00eda explotar esta vulnerabilidad para redirigir a los usuarios de Unity a URL web arbitrarias enga\u00f1ando a la v\u00edctima para que haga clic en una URL de Unisphere maliciosamente manipulada. Los atacantes podr\u00edan captar informaci\u00f3n, incluyendo las credenciales de usuario de Unisphere, de la v\u00edctima una vez son redirigidos."}], "id": "CVE-2018-1251", "lastModified": "2019-10-09T23:38:17.320", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2018-09-28T18:29:01.083", "references": [{"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2018/Sep/30"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}