Vulners
Lucene search
Lansweeper 7.2 - Incorrect Access Control
🗓️ 23 Jun 2020 00:00:00Reported by Amel BOUZIANE-LEBLONDType 
exploitdb🔗 www.exploit-db.com👁 526 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Lansweeper 7.2 - Incorrect Access Control Vulnerability | 24 Jun 202000:00 | – | zdt |
| Lansweeper 7.2 Default Account / Remote Code Execution Vulnerability | 26 Jun 202000:00 | – | zdt |
 | Lansweeper Command Execution Vulnerability | 16 Jun 202000:00 | – | cnvd |
 | CVE-2020-14011 | 15 Jun 202014:36 | – | cve |
 | CVE-2020-14011 | 15 Jun 202014:36 | – | cvelist |
 | CVE-2020-14011 | 15 Jun 202015:15 | – | nvd |
 | CVE-2020-14011 | 15 Jun 202015:15 | – | osv |
 | Lansweeper 7.2 Default Account / Remote Code Execution | 23 Jun 202000:00 | – | packetstorm |
 | Command injection | 15 Jun 202015:15 | – | prion |
 | CVE-2020-14011 | 22 May 202516:19 | – | redhatcve |
10
# Exploit Title: Lansweeper 7.2 - Incorrect Access Control
# SHODAN DORK : title:"Lansweeper - Login"
# Date: 2020-06-14
# Exploit Author: Amel BOUZIANE-LEBLOND
# Vendor Homepage: https://www.lansweeper.com/
# Software Link: https://www.lansweeper.com
# Version: 6.0.x through 7.2.x
# Tested on: Windows
# CVE : CVE-2020-14011
### Title:
Incorrect Access Control.
### Category:
Exploit
### Severity:
Critical
### Description:
Lansweeper 6.0.x through 7.2.x has a default installation in which the
admin password is configured for the admin account, unless "Built-in
admin" is manually unchecked. This allows command execution via the
Add New Package and Scheduled Deployments features.
### Other observation:
Hi, This issue is kind of critical,
By using shodan with this filter title:"Lansweeper - Login"
We will find some Lansweeper with default installation on it
### Details:
The Lansweeper application is agentless network inventory software that can be used for IT asset management.
It uses the ASP.NET technology on its web application.
### Analysis:
When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time,
you are presented with a First Run Wizard,
which allows you to set up scanning and configure some basic options.
Any subsequent times you access the console,
you are presented with a login screen.
By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button.
### Suggested mitigation:
restrict access to the console and configure what users can see or do once they've been granted access.
You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts.
A user's role determines what the user can see or do within the console..
### Impact/Risk:
Remote code execution
can expose the organization to unauthorized access of data and programs, fraud.
--
Amel BOUZIANE-LEBLONDData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jun 2020 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 27.5
CVSS 3.19.8
EPSS0.3383