Lucene search

GitHub_MCVELIST:CVE-2020-15243

HistoryOct 08, 2020 - 10:40 p.m.

CVE-2020-15243 WebApi Authentication attribute missing in Smartstore

2020-10-0822:40:12

CWE-287

GitHub_M

www.cve.org

smartstore

version 4.0.0

version 4.0.1

webapi authentication

vulnerability

update

workaround

uninstall

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.003

Percentile

70.1%

JSON

Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the /bin directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.

CNA Affected

[
  {
    "product": "SmartStoreNET",
    "vendor": "smartstore",
    "versions": [
      {
        "status": "affected",
        "version": ">= 4.0.0, <= 4.0.1"
      }
    ]
  }
]

References

github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.003

Percentile

70.1%

JSON

Related for CVELIST:CVE-2020-15243