GitHub Advisory DatabaseGHSA-48P3-XFVW-G59CIncorrect Access Control in ImpressCMS
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.04 Low
EPSS
Percentile
92.0%
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| impresscms/impresscms | lt | 1.4.3 |
References
karmainsecurity.com/KIS-2022-03
seclists.org/fulldisclosure/2022/Mar/45
github.com/advisories/GHSA-48p3-xfvw-g59c
github.com/ImpressCMS/impresscms/pull/967
github.com/ImpressCMS/impresscms/releases/tag/v1.4.3
hackerone.com/reports/1081137
nvd.nist.gov/vuln/detail/CVE-2021-26598
packetstormsecurity.com/files/166403/ImpressCMS-1.4.2-Incorrect-Access-Control.html
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.04 Low
EPSS
Percentile
92.0%