CVE-2018-7295

ffxivlauncher.exe in Square Enix Final Fantasy XIV 4.21 and 4.25 on Windows is affected by Improper Enforcement of Message Integrity During Transmission in a Communication Channel, allowing a man-in-the-middle attacker to steal user credentials because a session retrieves global.js via http before proceeding to use https. This is fixed in Patch 4.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
square-enixfinal_fantasy_xiv
4.21
square-enixfinal_fantasy_xiv
4.25
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://raw.githubusercontent.com/WizardShotTheFood/advisories/master/CVE-2018-7295.txt
https://raw.githubusercontent.com/WizardShotTheFood/advisories/master/CVE-2018-7295.txt