Lucene search

MitreCVE-2022-45172

HistoryJan 31, 2023 - 6:15 p.m.

CVE-2022-45172

2023-01-3118:15:09

CWE-863

mitre

web.nvd.nist.gov

cve-2022-45172

livebox collaboration

vdesk

broken access control

api

registration

validation

user integration

change password

authorization logic

privilege escalation

account theft

security vulnerability

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

50.8%

JSON

An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system.

Affected configurations

Nvd

Node

liveboxcloudvdeskRange<018

VendorProductVersionCPE
liveboxcloudvdesk*cpe:2.3:a:liveboxcloud:vdesk:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
liveboxcloud	vdesk	*	cpe:2.3:a:liveboxcloud:vdesk::::::::

References

www.gruppotim.it/it/footer/red-team.html

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

50.8%

JSON

Related for CVE-2022-45172