10

CVE-2019-9884

Exploit

eClass platform contains a Broken Access Control vulnerability

eClass platform < ip.2.5.10.2.1 allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EclassEclass Ip Version < 2.5.10.2.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.96% 0.854
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
twcert@cert.org.tw 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

http://surl.twcert.org.tw/b7jfz
Third Party Advisory
https://tvn.twcert.org.tw/taiwanvn/TVN-201904004
Third Party Advisory
https://zeroday.hitcon.org/vulnerability/ZD-2019-00332
Third Party Advisory
Exploit