CVE-2018-14573 - OpenCVE

A Local File Inclusion (LFI) vulnerability exists in the Web Interface API of TightRope Media Carousel Digital Signage before 7.3.5. The RenderingFetch API allows for the downloading of arbitrary files through the use of directory traversal sequences, aka CSL-1683.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Trms	Tightrope Media Carousel Digital Signage

Configuration 1 [-]

cpe:2.3:a:trms:tightrope_media_carousel_digital_signage:*:*:*:*:*:*:*:*

References

Link	Resource
http://release-notes.trms.com/txt/448	Not Applicable Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:22:28

Updated: 2022-10-03T16:22:28

Reserved: 2022-10-03T00:00:00

Link: CVE-2018-14573

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-23T23:29:00.217

Modified: 2018-09-20T14:16:23.810

Link: CVE-2018-14573

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trms:tightrope_media_carousel_digital_signage:*:*:*:*:*:*:*:*", "matchCriteriaId": "237987D7-1EA7-4390-9DD6-61AC362FFE43", "versionEndExcluding": "7.3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Local File Inclusion (LFI) vulnerability exists in the Web Interface API of TightRope Media Carousel Digital Signage before 7.3.5. The RenderingFetch API allows for the downloading of arbitrary files through the use of directory traversal sequences, aka CSL-1683."}, {"lang": "es", "value": "Existe una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en la API de la interfaz web de TightRope Media Carousel Digital Signage en versiones anteriores a la 7.3.5. La API RenderingFetch permite la descarga de archivos arbitrarios mediante el uso de secuencias de salto de directorio, lo que tambi\u00e9n se conoce como CSL-1683."}], "id": "CVE-2018-14573", "lastModified": "2018-09-20T14:16:23.810", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-23T23:29:00.217", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable", "Third Party Advisory"], "url": "http://release-notes.trms.com/txt/448"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}