Improper access control in Email Subscribers & Newsletters - #VU22764
Published: November 14, 2019
Vulnerability identifier: #VU22764
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: icegram
Affected software:
Email Subscribers & Newsletters
Email Subscribers & Newsletters
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions, export the list of subscribers and obtain sensitive information, such as user emails by sending the correct query variables and corresponding parameters.
Remediation
Install updates from vendor's website.