Lucene search

MitreCVE-2022-45178

HistoryApr 14, 2023 - 2:15 p.m.

CVE-2022-45178

2023-04-1414:15:10

mitre

web.nvd.nist.gov

cve

2022

45178

livebox collaboration

vdesk

broken access control

api

saml

user

privilege escalation

security vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

29.2%

JSON

An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint, the /settings/guest-settings endpoint, the /settings/samlusers-settings endpoint, and the /settings/users-settings endpoint. A malicious user (already logged in as a SAML User) is able to achieve privilege escalation from a low-privilege user (FGM user) to an administrative user (GGU user), including the administrator, or create new users even without an admin role.

Affected configurations

Nvd

Node

liveboxcloudvdeskRange≤018

VendorProductVersionCPE
liveboxcloudvdesk*cpe:2.3:a:liveboxcloud:vdesk:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
liveboxcloud	vdesk	*	cpe:2.3:a:liveboxcloud:vdesk::::::::

References

www.gruppotim.it/it/footer/red-team.html

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

29.2%

JSON

Related for CVE-2022-45178