Lucene search

K
cveTwcertCVE-2024-9970
HistoryOct 15, 2024 - 4:15 a.m.

CVE-2024-9970

2024-10-1504:15:04
CWE-565
twcert
web.nvd.nist.gov
26
flowmaster bpm plus
newtype
privilege escalation
vulnerability
remote attackers
regular privileges
administrator
cookie tampering

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

20.1%

The FlowMaster BPM Plus system from NewType has a privilege escalation vulnerability. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specific cookie.

Affected configurations

Nvd
Node
newtypeflowmaster_bpm_plusRange<5.3.1
VendorProductVersionCPE
newtypeflowmaster_bpm_plus*cpe:2.3:a:newtype:flowmaster_bpm_plus:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "FlowMaster BPM Plus",
    "vendor": "NewType",
    "versions": [
      {
        "lessThan": "5.3.1",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

20.1%

Related for CVE-2024-9970