Lucene search

MitreCVE-2020-35737

HistoryDec 30, 2020 - 8:15 p.m.

CVE-2020-35737

2020-12-3020:15:15

mitre

web.nvd.nist.gov

cve-2020-35737

correspondence management system

corms

newgen egov

user profile

unvalidated parameter

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.01

Percentile

84.1%

JSON

In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users’ profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference.

Affected configurations

Nvd

Node

newgensoftegovMatch12.0

VendorProductVersionCPE
newgensoftegov12.0cpe:2.3:a:newgensoft:egov:12.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
newgensoft	egov	12.0	cpe:2.3:a:newgensoft:egov:12.0:::::::*

References

packetstormsecurity.com/files/160826/Newgen-Correspondence-Management-System-eGov-12.0-Insecure-Direct-Object-Reference.html

gist.github.com/AliAlsinan/0323e57d2345ef0b4e73c803dba93486

www.exploit-db.com/exploits/49378

Social References

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.01

Percentile

84.1%

JSON

Related for CVE-2020-35737