Improper access control in Custom Searchable Data Entry System - #VU25822
Published: March 9, 2020
Vulnerability identifier: #VU25822
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Ghazale Shirazi
Affected software:
Custom Searchable Data Entry System
Custom Searchable Data Entry System
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application, leading to data modification and deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database.
Note: the vulnerability is being actively exploited in the wild.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.