Improper access control in Email Subscribers & Newsletters - CVE-2020-5780

 

Improper access control in Email Subscribers & Newsletters - CVE-2020-5780

Published: September 11, 2020


Vulnerability identifier: #VU46643
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-5780
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: icegram
Affected software:
Email Subscribers & Newsletters

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "class-es-newsletters.php" class. A remote attacker can send forged emails to all recipients from the available lists of contacts or subscribers with complete control over the content and subject of the email.


How to mitigate CVE-2020-5780

Install updates from vendor's website.

Sources