Lucene search

MitreCVELIST:CVE-2020-26171

HistoryDec 18, 2020 - 9:28 a.m.

CVE-2020-26171

2020-12-1809:28:06

mitre

www.cve.org

insecure

document attachment

vulnerability

manipulated

workitems

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.

References

blog.to.com/advisory-tangro-bwf-1-17-5-multiple-vulnerabilities/

www.tangro.de/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2020-26171