CVE-2020-26679

EPSS 0.14%
Veröffentlicht 26.05.2021 12:15:15
Zuletzt bearbeitet 21.11.2024 05:20:14
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily determined by other responses from the API for an event or chat room.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vfairs ≫ Vfairs Version3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.346

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

http://vfairs.com

Vendor Advisory

https://www.huntress.com/blog/zero-day-vulnerabilities-in-popular-event-management-platforms-could-leave-msps-open-to-attack

Third Party Advisory

https://api.vfairs.com/v1/profiles

Vendor Advisory

https://api.vfairs.com/v1/profiles?access_key=

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-26679

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-26679

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-26679

EUVD