Authorization Bypass in UPV PEIX

Posted date

31/05/2023

Importance

3 - Media

Affected Resources

UPV PEIX

Description

INCIBE has coordinated the publication of a vulnerability in UPV PEIX, an internship management system at the School of Computer Engineering of the Universitat Politècnica de València (UPV), which has been discovered by Pablo Alcarria Lozano y Germán Planells García.

The following code has been assigned to this vulnerability:

CVE-2023-2544:
- CVSS v3.1 base score: 5,3.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
- Vulnerability type: CWE-639: authorization bypass through user-controlled key.

Solution

This vulnerability has been fixed in August 2022.

Detail

CVE-2023-2544: authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.

References list

Web-based internship management system

Etiquetas