Authorization Bypass in UPV PEIX
Posted date
31/05/2023
Importance
3 - Media
Affected Resources
UPV PEIX
Description
INCIBE has coordinated the publication of a vulnerability in UPV PEIX, an internship management system at the School of Computer Engineering of the Universitat Politècnica de València (UPV), which has been discovered by Pablo Alcarria Lozano y Germán Planells García.
The following code has been assigned to this vulnerability:
- CVE-2023-2544:
- CVSS v3.1 base score: 5,3.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
- Vulnerability type: CWE-639: authorization bypass through user-controlled key.
Solution
This vulnerability has been fixed in August 2022.
Detail
- CVE-2023-2544: authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.
References list
Etiquetas