Security restrictions bypass in Convert Plus - #VU18639
Published: May 30, 2019
Vulnerability identifier: #VU18639
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: N/A
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Convert Pro
Affected software:
Convert Plus
Convert Plus
Detailed vulnerability description
The vulnerability allows a remote attacker to gain administrative access to the website.
The vulnerability exists due to application uses the supplied user role during registration and assign it to the new account. A remote attacker can register with the vulnerable website and assign administrative privileges to himself during registration.
Successful exploitation of the vulnerability allows a remote attacker to gain full access to the affected website.
Remediation
Install updates from vendor's website.