CVE-2018-17791 - OpenCVE

Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 has an "improper server side validation" vulnerability where client-side validations are tampered, and inappropriate information is stored on the server side and fetched from the server every time the user visits the D, creating business confusion. In the worst case, all available resources are consumed while processing the data, resulting in unavailability of the service to legitimate users. This occurs because non-editable parameters can be modified by manually editing a disabled form field within the developer options.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Newgensoft	Omniflow Intelligent Business Process Suite

Configuration 1 [-]

cpe:2.3:a:newgensoft:omniflow_intelligent_business_process_suite:7.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/154061/OmniDoc-7.0-Input-Validation.html
https://packetstormsecurity.com/files/cve/CVE-2018-17791

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-21T19:24:17

Updated: 2024-08-05T10:54:10.724Z

Reserved: 2018-09-30T00:00:00

Link: CVE-2018-17791

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-08-21T20:15:11.710

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-17791

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 has an \"improper server side validation\" vulnerability where client-side validations are tampered, and inappropriate information is stored on the server side and fetched from the server every time the user visits the D, creating business confusion. In the worst case, all available resources are consumed while processing the data, resulting in unavailability of the service to legitimate users. This occurs because non-editable parameters can be modified by manually editing a disabled form field within the developer options."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-26T19:44:47", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154061/OmniDoc-7.0-Input-Validation.html"}, {"tags": ["x_refsource_MISC"], "url": "https://packetstormsecurity.com/files/cve/CVE-2018-17791"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-17791", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 has an \"improper server side validation\" vulnerability where client-side validations are tampered, and inappropriate information is stored on the server side and fetched from the server every time the user visits the D, creating business confusion. In the worst case, all available resources are consumed while processing the data, resulting in unavailability of the service to legitimate users. This occurs because non-editable parameters can be modified by manually editing a disabled form field within the developer options."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://packetstormsecurity.com/files/154061/OmniDoc-7.0-Input-Validation.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154061/OmniDoc-7.0-Input-Validation.html"}, {"name": "https://packetstormsecurity.com/files/cve/CVE-2018-17791", "refsource": "MISC", "url": "https://packetstormsecurity.com/files/cve/CVE-2018-17791"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:54:10.724Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154061/OmniDoc-7.0-Input-Validation.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://packetstormsecurity.com/files/cve/CVE-2018-17791"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-17791", "datePublished": "2019-08-21T19:24:17", "dateReserved": "2018-09-30T00:00:00", "dateUpdated": "2024-08-05T10:54:10.724Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:newgensoft:omniflow_intelligent_business_process_suite:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B7EF03D-85CD-4EC0-841B-21DC0A5E648E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 has an \"improper server side validation\" vulnerability where client-side validations are tampered, and inappropriate information is stored on the server side and fetched from the server every time the user visits the D, creating business confusion. In the worst case, all available resources are consumed while processing the data, resulting in unavailability of the service to legitimate users. This occurs because non-editable parameters can be modified by manually editing a disabled form field within the developer options."}, {"lang": "es", "value": "Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 tiene una vulnerabilidad de \"validaci\u00f3n incorrecta del lado del servidor\" donde las validaciones del lado del cliente se alteran, y la informaci\u00f3n inapropiada se almacena en el lado del servidor y se obtiene del servidor cada vez que el usuario visita la D, creando confusi\u00f3n empresarial. En el peor de los casos, todos los recursos disponibles se consumen mientras se procesan los datos, lo que resulta en la falta de disponibilidad del servicio para usuarios leg\u00edtimos. Esto ocurre porque los par\u00e1metros no editables pueden modificarse editando manualmente un campo de formulario deshabilitado dentro de las opciones del desarrollador."}], "id": "CVE-2018-17791", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-21T20:15:11.710", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154061/OmniDoc-7.0-Input-Validation.html"}, {"source": "cve@mitre.org", "url": "https://packetstormsecurity.com/files/cve/CVE-2018-17791"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "nvd@nist.gov", "type": "Primary"}]}