botón arriba

Authorization Bypass in UPV PEIX

Posted date
31/05/2023
Importance
3 - Media
Affected Resources

UPV PEIX

Description

INCIBE has coordinated the publication of a vulnerability in UPV PEIX, an internship management system at the School of Computer Engineering of the Universitat Politècnica de València (UPV), which has been discovered by Pablo Alcarria Lozano y Germán Planells García.

The following code has been assigned to this vulnerability:

  • CVE-2023-2544:
    • CVSS v3.1 base score: 5,3.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
    • Vulnerability type: CWE-639: authorization bypass through user-controlled key.
Solution

This vulnerability has been fixed in August 2022.

Detail
  • CVE-2023-2544: authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.
Etiquetas