CVE-2018-19276
CVE-2018-19276
Vexday Risk Score
85Fix now
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 10EPSS 98.8%KEV nãoPoC públicaNuclei simMetasploit simPatch —
Lifecycle
04 Feb 2019Metasploit module available
05 Feb 2019Public PoC
17 Mar 2019Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N
Affected products
n/a · n/apublic PoCs found — 6
githubgithub.com/mpgn/CVE-2018-19276★ 16cve_referencepacketstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.htmlunverifiedcve_referencepacketstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46327/unverifiedexploitdbwww.exploit-db.com/exploits/46327unverifiedexploitdbwww.exploit-db.com/exploits/47792unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.htmlhttp://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.htmlhttps://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserializationhttps://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607https://www.exploit-db.com/exploits/46327/