CVE-2019-17202 Information

Description

FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge’s response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users and thus any user can elevate to Administrator privilege.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://improsec.com/en/responsible-disclosure

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8