Description

A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.

Remediation

References

CVE-2018-16476

Related Vulnerabilities

WordPress Plugin FeedWordPress Multiple Vulnerabilities (2015.0426)

WordPress Plugin Simple Download Monitor Multiple Cross-Site Scripting Vulnerabilities (3.9.4)

WordPress 5.3.x Multiple Vulnerabilities (5.3 - 5.3.6)

OpenSSL Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2018-0734)

Drupal Other Vulnerability (CVE-2006-4120)

Severity

High

Classification

CVE-2018-16476 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities