CVE-2020-37008
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Elektraweb | EasyPMS | 1.0.0 | affected |
Weaknesses
- CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://www.exploit-db.com/exploits/48858
- https://www.elektraweb.com/en/
- https://www.vulncheck.com/advisories/easypms-authentication-bypass
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.