3.5

CVE-2021-33031

EPSS 0.19%
Veröffentlicht 10.06.2021 16:15:08
Zuletzt bearbeitet 21.11.2024 06:08:09
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In LabCup before <v2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Labcup ≫ Labcup Version < v2_next_18022

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.407

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md

Third Party Advisory

https://labcup.net/privacy-data-security/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-33031

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-33031

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-33031

EUVD