Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set.

Threat-Mapped Scoring

Score: 3.0

Priority: P2 - Serious (High)

• S1 – Steal Customer Account Information

EPSS

Score: 0.02121
Percentile: 0.83404

CVSS Scoring

Mapped CWE(s)

• CWE-425 : Direct Request ('Forced Browsing')

All CAPEC(s)

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

• T1083 : File and Directory Discovery
  Kill Chain: discovery
• T1565.002 : Transmitted Data Manipulation
  Kill Chain: impact

Malware

APTs Threat Group Associations

Campaigns

Affected Products

• cpe:2.3:a:hostingcontroller:hosting_controller:*:*:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:-:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.0:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.1:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.2:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.3:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.4:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.5:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.6:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.7:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.8:*:*:*:*:*:*
• cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.9:*:*:*:*:*:*

← Back to Home