Unrated severityNVD Advisory· Published May 16, 2018· Updated Aug 5, 2024

CVE-2018-10240

Description

SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user's session.

Affected products

SolarWinds/Serv-U MFTllm-create
Range: <15.1.6 HFv1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.bishopfox.com/news/2018/05/solarwinds-serv-u-managed-file-transfer-insufficient-session-id-entropy/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000