Home > Vulnerability Database > CVE-2018-10813

Mend.io Vulnerability Database

CVE-2018-10813

Date: June 5, 2018

In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this could lead to privilege escalation.

Language: CSS

Severity Score

7.3

Related Resources (4)

Url: https://www.digitalinterruption.com/single-post/2018/06/04/Are-Your-Cookies-Telling-Your-Fortune

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-10813

Url: https://github.com/aprendecondedos/dedos-web/pull/1

Url: https://www.mend.io/vulnerability-database/CVE-2018-10813

Severity Score

7.3

Weakness Type (CWE)

Use of Hard-coded Credentials

CWE-798

CVSS v3

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-10813

Date: June 5, 2018

Language: CSS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3

CVSS v2

Do you need more information?