CVE-2018-16495 — HIGH (8.8)

Q: How severe is CVE-2018-16495?

CVE-2018-16495 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-16495?

Check the references section above for vendor advisories and patch information. Affected products include: Versa-Networks Versa Operating System.

Vulnerability Description

In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Versa-Networks	Versa Operating System	< 16.1r2s11

Related Weaknesses (CWE)

CWE-384

References

https://hackerone.com/reports/1168192Third Party Advisory
https://hackerone.com/reports/1168192Third Party Advisory

FAQ

What is CVE-2018-16495?

CVE-2018-16495 is a vulnerability with a CVSS score of 8.8 (HIGH). In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new ...

How severe is CVE-2018-16495?

CVE-2018-16495 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-16495?

Check the references section above for vendor advisories and patch information. Affected products include: Versa-Networks Versa Operating System.