How severe is CVE-2018-11338?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2018-11338?

This is classified as CWE-319, which is a common weakness in software security.

CVE-2018-11338 - HIGH Severity | CVSS 7.5

Vulnerability Description

Intuit Lacerte 2017 for Windows in a client/server environment transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer list contains each customer's full name, social security number (SSN), address, job title, phone number, Email address, spouse's phone/Email address, and other sensitive information. After the client software authenticates to the server database, the server sends the customer list. There is no need for further exploitation as all sensitive data is exposed. This vulnerability was validated on Intuit Lacerte 2017, however older versions of Lacerte may be vulnerable.

Related Vulnerabilities

CVE-2002-1949

HIGH

CVSS:7.5(High)

The Network Attached Storage (NAS) Administration Web Page for Iomega NAS A300U transmits passwords in cleartext, which allows remote attackers to sniff the administrative password.

CWE-3192002

CVE-2005-3140

HIGH

CVSS:7.5(High)

Procom NetFORCE 800 4.02 M10 Build 20 and possibly other versions sends the NIS password map (passwd.nis) as a file attachment in diagnostic e-mail messages, which allows remote attackers to obtain th...

CWE-3192005

CVE-2008-0374

HIGH

CVSS:7.5(High)

OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 sends the configuration of the printer in cleartext, which allows remote attackers to obtain the administrative password ...

CWE-3192008

CVE-2008-3289

HIGH

CVSS:7.5(High)

EMC Dantz Retrospect Backup Client 7.5.116 sends the password hash in cleartext at an unspecified point, which allows remote attackers to obtain sensitive information via a crafted packet.

CWE-3192008

CVE-2008-4122

HIGH

CVSS:7.5(High)

Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...

CWE-3192008

CVE-2008-4390

HIGH

CVSS:7.5(High)

The Cisco Linksys WVC54GC wireless video camera before firmware 1.25 sends cleartext configuration data in response to a Setup Wizard remote-management command, which allows remote attackers to obtain...

CWE-3192008