Lucene search

K
vulnrichmentTwcertVULNRICHMENT:CVE-2024-9970
HistoryOct 15, 2024 - 3:36 a.m.

CVE-2024-9970 NewType FlowMaster BPM Plus - Privilege Escalation

2024-10-1503:36:15
CWE-565
twcert
github.com
2
newtype
flowmaster bpm plus
privilege escalation
vulnerability
remote attackers
administrator privileges
specific cookie tampering

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

The FlowMaster BPM Plus system from NewType has a privilege escalation vulnerability. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specific cookie.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:new_type:flowmaster_bpm_plus:*:*:*:*:*:*:*:*"
    ],
    "vendor": "new_type",
    "product": "flowmaster_bpm_plus",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "5.3.1",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

Related for VULNRICHMENT:CVE-2024-9970