Improper access control in Event management and registration - CVE-2020-25026
Published: September 3, 2020
Vulnerability identifier: #VU46246
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-25026
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Event management and registration
Event management and registration
Software vendor:
Torben Hansen
Torben Hansen
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the backend module. A remote authenticated attacker can send emails to event participants for events which the user does not have access to, bypass implemented security restrictions and gain unauthorized access to the application.
Remediation
Install updates from vendor's website.