CVE-2021-33031 Information

Description

In LabCup before <v2_next_18022 it is possible to use the save API to perform unauthorized actions for users without access to user management in order to after successful exploitation gain access to a victim’s account. A user without the user-management privilege can change another user’s email address if the attacker knows details of the victim such as the exact roles and group roles ID and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Reference

https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md https://labcup.net/privacy-data-security/

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

3.1