8.8
CVE-2022-2921
- EPSS 1.11%
- Veröffentlicht 21.08.2022 04:15:10
- Zuletzt bearbeitet 21.11.2024 07:01:55
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
LoginExposure of Private Personal Information to an Unauthorized Actor in notrinos/notrinoserp
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Notrinos ≫ Notrinoserp Version < 0.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.11% | 0.615 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security@huntr.dev | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45
https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c